When they download apps, smartphone users sign up for all kinds of terms and conditions they never read, often legally allowing applications to do whatever they like. Most applications behave well, but some don’t.
Why does Flashlight need to know my location? It’s just a bright screen used for finding things in the dark. If I’ve given it permission, it could be sending my global positioning system (GPS) data to a server in Uzbekistan every 10 seconds, which would give a perfect trace of my travels. Whose server is that, anyway, and why are they tracking me?
That’s bad behavior.
Well, caveat emptor on that one because I gave it permission. But what about bad actors to whom I haven’t given permission, who decide to come in and help themselves to my data anyway? The spectrum of bad characters shades from mischievous application into true malware.
To protect against this daunting gallery of rogues, Qualcomm* has created a module that looks for bad deeds (rather than for known villains). Referencing all parts of the system, Qualcomm Snapdragon Smart Protect classifies application behavior. Using adaptive machine-learning algorithms from another Qualcomm technology, “Zeroth,” Smart Protect separates legitimate from undesirable activities, raising a flag when it finds the latter.
Zeroth’s cognitive computing platform, derived from server-based technology, has been boiled down to run advanced machine-learning algorithms on a phone. There, Zeroth serves as Smart Protect’s memory (we’ve seen this before) and advisor (this looks odd). When your phone tries to do something funny, Smart Protect responds as necessary, raising an alert and allowing the user or an application to prevent the action.
The Smart Protect announcement is just one “boom” in the rolling thunder of announcements associated with Qualcomm’s Snapdragon 820 mobile processor, which will debut on devices shipping in the first half of 2016.
Smart Protect, a set of application programming interfaces (APIs) protected in hardware, works in conjunction with anti-virus (AV) software to help keep not just malware but any app from making mobile devices do things they shouldn’t. The AV software (supplied by a third party) looks at malware signatures — known villains — but may have a difficult time flagging a bad actor it’s never seen before. Some malware is designed to morph with each installation, grabbing parameters from random places and disguising itself in a new form to outwit signature recognition. And some, as noted previously, the user invites in voluntarily or unwittingly.
So, it’s important to look at what a program does. And the context in which it acts has to be understood. For example, a messaging application wanting access to your contacts makes sense. How else can you ping your friends with no hassle? But if at some point that messaging program decides to access your contacts when the screen is off or you aren’t sending a message, then something is wrong. And even a legitimate program can be compromised.
AV software has traditionally been able to recognize known malware, but signatures can morph as virus code is modified, outwitting the recognizer. An unknown virus can evade the host’s defenses with impunity in what is called a “zero-day” attack. Defending against such attacks by viruses and malicious software is exactly the case where behavioral analysis shines. Indeed, without a behavioral component, it’s hard to stop the invasion.
Qualcomm designed Smart Protect from the outset to fit easily on a mobile device, thus allowing it to function without cloud references. And, because it runs in a separate, secure, hardware-based execution environment, Smart Protect can keep not only itself, but the entire device safe from attacks at the operating system level by monitoring application behavior from outside the application layer. This architecture is novel. Most malware protection programs operate at the application layer, a design that leaves them vulnerable to direct attack.
Smart Protect serves both to protect against application misbehavior and to preserve privacy, all while operating unobtrusively in the background. If I didn’t tell you about it, you might not even know it’s there, working on your behalf.
*My company, Endpoint, has a consulting relationship with Qualcomm.