Mobile Threat Defense (MTD) platform for continuous, automated and multidimensional device security threat level assessment (SKAM)

Mobile devices are becoming increasingly important in user authentication (digital identity, banking operations), so it is more necessary than ever to take care of the security of users’ mobile devices. Meanwhile, it is under significant threat.

In 2021 only, more than 2 million samples of malware applications for Android devices were identified. As a result, about 23% of Android devices had to deal with malicious apps. Unfortunately, those malicious apps, including the most dangerous ones, are available in the official Google Play app store.

Our project was created to protect mobile device users. The goal of the project was to be able to detect malicious behavior of new apps or new versions of known apps before they are added to malware databases.

We used machine learning methods to model the characteristics of malicious applications, allowing us to detect the malicious nature of an application before it is included in malware databases. The high quality of the models is related to the high quality of the data, which is why we integrated data from multiple sources into the project, including creating a lab to monitor new versions of popular applications. Since the characteristics of malicious applications are subject to high dynamics, data from these sources is taken on a continuous basis. In order to take into account the emergence of new threats, we designed and implemented an automatic process for continuous model refreshing, with particular emphasis on automatic validation of built models. We paid special attention to preserving the privacy of user data and the speed of informing the user about the threat. We achieved both of these features with a lightweight model, which allows apps to be evaluated directly on the user’s device. As a result, information about installed applications does not get outside of their device, while information about the installation of a potential malicious application is available a few seconds after installation.

The results of the SKAM project will be implemented in the BotSense Mobile product that has been offered since 2018. As a result, the product\’s customers will receive, in addition to signature-based detection of malicious apps, also non-signature detection based on the methods and tools developed within the SKAM project. This will allow detection of threats that are new and derived from previously known threats.

Currently, BotSense Mobile protects about 9 million users of mobile applications of government and financial institutions. We hope that with the new protection methods this number will increase, and NASK will have a comprehensive solution for securing mobile devices.

Andrzej Sikora, the project’s PI, about the project:

In recent years, we have seen the role of mobile devices steadily increase. Unfortunately, as the availability of a variety of services on mobile platforms increases, so do the number of cyber attacks directed against their users and providers. It is key to be able to quickly detect and counter new methods of attacks, which has now become possible thanks to artificial intelligence methods.