In recent years, the worldwide market for handhelds has grown dramatically. For instance, in 2006 the market grew by 21% over 2005, selling 800 million mobile phones, and in 2007 1.1 billion mobile phones were estimated to have been sold worldwide. Because of continued miniaturization, ubiquitous communication, and increasing computation power, mobile handheld users can now perform many online tasks, including web browsing, document editing, multimedia streaming, and Internet banking. At the same time, the growing use of mobile handhelds for everyday life and business has been attracting the attention of malware writers, whose aim is to compromise data confidentiality, integrity, and the ability to use handheld services. For instance, SymbOS.Cabir (“Cabir”), the first proof-of-concept mobile worm developed in June 2004, was written for the Symbian OS and used a novel propagation vector (e.g., via Bluetooth or SMS). Although Cabir was designed solely to demonstrate the feasibility of malicious code for mobile devices, the publication of Cabir source code triggered a worldwide outbreak of many variants, infecting Bluetooth-enabled mobile phones.
The limited battery-lifetime for mobile handhelds is an Achilles' heel for the portability and the ubiquitous use of mobile devices. This limitation exists not only because battery technology has not kept up with Moore's Law, but also mobile devices and software running thereon demand more power for a longer period than the battery can deliver. At the same time, while most malicious code attacks on handhelds aim to damage software resources such as infecting files and stealing privacy information, intentional abuse of hardware resources (e.g., CPU, memory, battery power) has become an important, increasing threat. In particular, malware targeting the burning/depletion of battery power are extremely difficult to detect and prevent, mainly because users are usually unable to recognize this type of anomaly on their handhelds and the battery can be deliberately and rapidly drained in a number of different ways (e.g., DoS attacks or the installation of animated GIFs). Despite these problems, only limited research has focused on the detection and prevention of battery-draining attacks on handhelds, including how to cope with a wider variety of attacks.
The most commonly-used technique for malware mitigation for antivirus and anti-spyware is signature-based analysis. Signatures are created using static information (e.g., file name and a code value), and as such are vulnerable to simple obfuscation, polymorphism, and packing techniques. Signature-based detection that requires a new signature for every single malware variant is not well suited for mobile handhelds, however, mainly because handhelds have much less resources (e.g., CPU, memory, and battery power) than their desktop counterparts. Moreover, even ‘old’ malware can harm new handhelds unless their system has been properly patched in a timely fashion. In practice, patching is rarely an option for handhelds as their operating systems are usually inaccessible to others (except the manufacturers).
Unlike signature-based detection, anomaly-based detection compares definitions of the activity considered normal in a profile against the observed events to identify significant deviations. The profile describes the normal behavior, e.g. users, hosts, applications, or network connections. One common problem with anomaly-based detection, though, is that the inadvertent inclusion of a malicious activity as part of the profile produces many false-negative situations, i.e. failure to identify malicious activities.
Similarly, behavioral detection is based on behavioral signatures that describe aspects of any particular worm's behavior such as sending similar data from one machine to another, the propagation pattern, and the change of a server into a client, thus representing a generic worm propagation model. These behavioral signatures that are not sufficiently complex to reflect real-world computing activities may also cause many false-positives, i.e. incorrect identification of a benign activity as malicious. Also, the propagation of mobile malware via non-traditional exploit vectors such as SMS and Bluetooth in conjunction with user mobility renders network-behavioral signatures almost ineffective.
In sum, there are two main challenges in developing a malware-detection framework for handhelds. First, a detection framework should be able to detect diverse types of malware, especially including energy-greedy (malicious) applications and malware variants, keeping both false-negatives and false-positives below a certain acceptable threshold. Second, unlike resource-rich PCs, a detection framework on battery-powered handhelds should not consume too much of the device resources, including CPU, memory, and battery power. The overhead for executing the detection framework should be kept to a minimum.
This section provides background information related to the present disclosure which is not necessarily prior art.