Office of Technology Transfer – University of Michigan

Method of Modeling the Program Behavior for Behavioral Detection of Malicious Programs on Mobile Handsets

Technology #3860

Questions about this technology? Ask a Technology Manager

Download Printable PDF

Kang G. Shin
Managed By
Drew Bennett
Associate Director - Software Licensing 734-615-4004
Patent Protection
US Patent Pending


The rapidly growing capability and world-wide proliferation of smart phones and mobile handhelds have begun to attract the attention of virus writers in recent years. The past three years alone have witnessed an exponential rise in the number of distinct mobile malware families to over 30, and their variants to more than 170. These malware can spread via Bluetooth and SMS/MMS messages, enable remote control of a device, modify critical system files, damage existing applications including anti-virus programs, block MMC memory cards, to name a few. Current generation anti-mobile solutions are primitive when compared to their desktop counterparts, and may not be scalable given the small footprint of mobile devices as new families of cross-platform malware continue to appear.


Researchers at the University of Michigan have invented a novel behavioral detection system for mobile handsets (e.g., PDAs, smart-phones, Internet-capable cell phones, and so on) to capture mobile worms, viruses and Trojans, instead of signature-based solutions currently available for mobile devices and PCs. The invention generates a database of (both normal and malicious) behavior signatures from chosen handset application as well as over 25 distinct families of mobile viruses and worms targeting the Symbian OS, including their 140 variants, reported to date. A graphical representation of (either malicious or normal) behavior signatures from the system calls and events is collected and transformed into a binary format that is understood by handset CUs. This binary database then determines if the run-time behavior of programs currently running on the handset is malicious.

Applications and Advantages


  • Detection of mobile malware


  • Compact database can readily be placed in handset
  • Describes behavior for an entire family of malware including variants
  • Eliminates frequent updating of database