Here at Kaspersky, we’ve been using AI in our mobile security solution for some time now. At the recent Mobile World Congress in Barcelona, Viktor Chebyshev of our Global Research and Analysis Team (GReAT) talked about why — and what we’ve achieved with the technology.
A brief history of mobile malware evolution
First, a bit of background on the evolution of malicious apps for Android. The operating system appeared back in 2007, and the first Android smartphone, the HTC Dream, became available in 2008. Malware writers quickly got to know the new platform, and by 2009 the world saw the first malicious programs for Android.
True, there weren’t many at first: Back in 2009, Kaspersky was detecting about three new Android threats a month, a number Chebyshev, armed with only a simple signature-based antivirus engine, could manage on his own.
Very soon, however, the number of threats snowballed, and by 2010 our monthly detections of new Android malware had shot up to 20,000. The signature-based engine still managed, but far more time was spent on analyzing the malicious files.
As the operating system’s popularity soared, the amount of new Android malware swelled. In 2012, we were detecting an average of 467,515 samples per month, our team of mobile threat analysts had grown to four, and heuristic analysis and statistical methods supplemented the signature-based engine — but that wasn’t enough.
Fttkit provides a striking example of how mobile threats have evolved. The creators of this Trojan dropper call it an “automated service to protect Android apps,” but it actually helps fellow malware writers evade antivirus detection. It works by using obfuscation to trick security solutions and then installing other malware, usually banking Trojans. We know of more than 360,000 unique versions of Fttkit, and the figure continues to grow.
AI for mobile security
To pick through that number of malware samples manually would require an ever-expanding team, and, more important, would take a lot of time (during which users could pick up new malware).
That’s where machine-learning technologies come in and can save significant amounts of time and resources. However, such technologies are quite resource-intensive, meaning that doing all of the necessary work right on a user’s device can reduce performance and battery life. To minimize the impact, we use a hybrid option, with the smartphone performing less-resource-intense operations and then sending data to the cloud for the heavy lifting. This model ensures reliable protection and quick responses to new threats with minimal impact on smartphone performance and battery life.
Here’s what we achieved by implementing machine learning in Kaspersky Internet Security for Android:
The verdict delivered by the machine-learning technologies in our solution for Android — DangerousObject.AndroidOS.GenericML — is currently on the Top-3 list, accounting for 6.63% of all malware for this operating system detected by our products.
Most significantly, our mobile products detect around 33% of all new Android threats using AI.
This is made possible by a combination of factors. First, we have an extensive mobile threat database, which we have maintained since 2009. Second, our team of mobile threat researchers has unique expertise in the field. Third, we have a team of machine-learning experts who effectively integrate this technology into our products. All this combined helps our mobile security solutions consistently top independent tests in terms of both protection and performance.