The present invention relates to identifying whether an application is malicious.
Phishing attacks oftentimes are implemented by malicious parties masquerading as trustworthy entities in electronic communications. A typical way of initiating a phishing attack is to install a malicious application on a user's processing system. The malicious application may be communicated to the processing system via an instant message, e-mail, or via a malicious or infected website the user accesses. In illustration, a communication may be sent to the user, and such communication can purport to be from popular social web site, auction site, financial institution, online payment processor, IT administrator, or the like. Such communication may provide a hyperlink to a malicious URL, to which the communication directs the user, and the user may select believing that the URL is safe.
When requested to load the URL, the web browser may allow the malicious application to be installed on user's processing system (e.g., a mobile device), external to a web browser that handles the URL visit requests. It may do so by firing an implicit Intent identified by the URL. This allows the malicious application to respond to the URL request using a graphical interface (GUI) that is essentially identical to that of the browser. The transition between the real browser and the malicious application is smooth, and is thus likely to be missed by a benign user. For example, the malicious application can pretend to be the user's bank website. The user then may enter into the malicious application account details, such as a user name and password, which the malicious application can retain. Malicious users then may use such details to gain access to the user's account.