Recent years have seen rapid gain in popularity of open-platform-based consumer equipment, such as smartphones. The open-platform environment for the current consumer equipment gives any user opportunities to develop applications, and to upload the developed applications to an application distribution site. Such applications uploaded to the application distribution site can be downloaded by unspecified users. The users install such applications to enhance the functions of their own terminals.
Moreover, the multitasking features of the terminals make it possible to simultaneously start up multiple applications. As a result, the users increasingly enjoy the benefits of the features, such as executing an application in the background and executing another application in the foreground, and cooperatively executing the applications.
Such a user terminal records personal information including an address book with e-mail addresses and phone numbers registered, password information, and photos. Consequently, more and more users are suffering when downloading the uploaded malware. Furthermore, the malware is becoming increasingly sophisticated. Some pieces of malware establish unauthorized cooperation with one another to execute unauthorized processing.
In general, most of the cooperative tasks among applications are not seen by the user. Thus, the cooperation among pieces of malware develops a potential risk of the leakage of the user's personal information to outsiders before he or she notices.
Assumed here, for example, is the case where there are three pieces of malware: malware A, malware B, and malware C, and the pieces establish an unauthorized cooperation one another. The malware A is an application to access a phone book, the malware B is a game application, and the malware C is an application to access an external communications network such as a browser.
A malware designer uploads the malware A, the malware B, and the malware C to the application distribution site as applications each of which does not execute unauthorized tasks alone, and runs normally. Then, the malware designer disguises each piece of malware as a legal application, and has a user gradually download all of the malware A, the malware B, and the malware C using various kinds of tricks.
On the other hand, the user identifies the malware A, the malware B, and the malware C as legal applications, and downloads the pieces of malware. Each of the malware A, the malware B, and the malware C does not execute unauthorized tasks as an individual application. Thus, without uninstalling the pieces of malware, the user continues using the malware pieces. Since the user terminal is also capable of multitasking, the following threat is considered: When the malware A, the malware B, and the malware C are started up on multitasking, the malware pieces run as malware for the first time, establish an unauthorized cooperation among themselves, and, through the external communications network, leak his or her personal information by unauthorized inter-process communication in the order by applications A, B, and C.
A technique disclosed in, for example, Patent Reference 1 has been proposed as a conventional countermeasure against malware. The technique disclosed in Patent Reference 1 (i) defines common behaviors among pieces of malware in a form of an unauthorized rule file, (ii) determines, without using the signature of the malware, whether or not communications by processes are established by malware, and (iii) stops the unauthorized process.
There is another technique disclosed in Patent Reference 2 as a conventional countermeasure against malware. The technique disclosed in Patent Reference 2 determines a dubious event as malware when the event satisfies a predetermined threshold, and executes control which is set as security setting in order to prevent the malware from spreading.