Malware infection of computers and computer systems is a growing problem. There have been many high profile examples where computer malware has spread rapidly around the world causing many millions of pounds worth of damage in terms of lost data and lost working time.
Malware is often spread using a computer virus. Early viruses were spread by the copying of infected electronic files onto floppy disks, and the transfer of the electronic file from the disk onto a previously uninfected computer. When the user tries to open the infected electronic file, the malware is triggered and the computer infected. More recently, viruses have been spread via the Internet, for example using e-mail. It is also known for viruses to be spread by the wireless transmission of data, for example by communications between mobile communication devices using a cellular telephone network.
Various anti-virus applications are available on the market today. These tend to work by maintaining a database of signatures or fingerprints for known viruses and malware. With a “real time” scanning application, when a user tries to perform an operation on a file, e.g. open, save, or copy, the request is redirected to the anti-virus application. If the application has no existing record of the electronic file, the electronic file is scanned for known virus or malware signatures. If a virus or malware is identified in a file, the anti-virus application reports this to the user, for example by displaying a message in a pop-up window. The anti-virus application may then add the identity of the infected file to a register of infected files.
In recent years, so called “application stores” have proved to be very popular with mobile users. Apple® App Store and Android® Market are two examples of application stores. An application store is an online service that allows a user to browse and download software applications from a remote server to their device.
Applications are frequently free or very low cost, and a successful application can be downloaded to millions of devices. Other application stores include SOFTONIC, FILEHIIPO, AND CNET.
While the same software application may be available from another source, the convenience of an application store means that the great majority of downloads of a software application are made using an app store.
Infection with malware can occur via a variety of routes, including computer viruses and email. Infection can also occur via the direct downloading of unsafe files by a user. The likelihood of such direct downloads is increased by the fact that popular files and software are often mimicked by malware and other potentially unwanted software in order to deceive the user into installing them.
A simple way of tricking users into installing malware is to provide the malware in the form of an application that appears to perform a desirable function for the user. This type of malware is known as a Trojan horse, or Trojan. While the Trojan horse appears to perform a desirable function for the user, it contains malicious code. The malicious code may be executed in addition to performing the desirable function, so the user is not aware that his computer device is running a Trojan horse. A Trojan horse may be used, for example, to display unwanted advertisements or allow a malicious third party to access the computer device and perform unwanted operations such as contacting premium rate numbers, stealing data, installing unwanted software, modifying or removing existing files and so on. Other methods of deception range from exploiting obvious typographical errors in filenames to divert a user to a covert malware file, accessing internet content without any intervention from the browser or user and obtaining a file with a similar filename, similar details or even a certificate similar to that of a popular file.
Application stores that host and facilitate the downloading of popular software may therefore be targeted by the creators of malware, and thus may host a mixture of safe, suspicious and malicious content. The reputation systems employed by these sites must attempt to determine the safety, or lack thereof, of every application hosted on the site, and the time between the upload of a malicious application and its detection may be long enough for the malware to be downloaded by a user. The crawler and analysis methods used by these sites to identify malware can be time consuming, resource intensive, and, as described above, may ultimately be ineffective in their goal of preventing the downloading of malware by users.