Published on March 14th, 2010 | by Babar Bhatti0
Managing Mobile Threats in Memory
Mobile devices are increasingly subject to many of the threats that plague personal computers. Now a leading security researcher has presented a new way to detect malware on mobile devices. According to this article, the new approach can catch even unknown threats and can protect a device without draining its battery or taking up too much processing power.
Researchers have begun to identify ways to protect devices from malicious software. But traditional ways of protecting desktops against threats don’t translate well to smart phones, says Markus Jakobsson, a principal scientist at Xerox PARC and the person behind the new malware detection technology.
Most antivirus software works behind the scenes, comparing new files to an enormous library of virus signatures. Mobile devices lack the processing power to scan for large numbers of signatures, Jakobsson says. Continual scanning also drains batteries. His approach relies on having a central server monitor a device’s memory for signs that it’s been infected, rather than looking for specific software.
Devices have two types of memory–random-access memory (RAM), used by active programs, and secondary storage, which takes longer to access and generally holds data not currently in use. Jakobsson’s system would check a device by first shutting off nonvital applications, such as an e-mail app or a browser. At that point, nothing should be running except the detection software and the operating system itself. He demonstrated the software using a device running the Android mobile operating system at the RSA conference.
If malware is present and active, it will need to use some RAM to execute instructions on the device. So the central server contacts the detection software to check to see if malware is using RAM by measuring how much memory is available. It does this by completely filling the remaining memory space with random data and checking the amount of data needed against a fingerprint of the memory that was created when the device was known to be malware-free.
At this point, any malware running in the open would be revealed. The malware could try to hide its presence by allowing the random data to overwrite it in RAM, Jakobsson says, but this would prevent it from taking any further action. And if it tries to hide by accessing data in the device’s secondary storage, this would slow the device’s response to the central server, revealing the presence of malware.