A novel behavioral detection framework is proposed to detect mobile worms, viruses and Trojans, instead of the signature-based solutions currently available for use in mobile devices. First, we propose an efficient representation of malware behaviors based on a key observation that the logical ordering of an application's actions over time often reveals the malicious intent even when each action alone may appear harmless. Then, we generate a database of malicious behavior signatures by studying

more »

... more than 25 distinct families of mobile viruses and worms targeting the Symbian OS-the most widely-deployed handset OS-and their variants. Next, we propose a two-stage mapping technique that constructs these signatures at run-time from the monitored system events and API calls in Symbian OS. We discriminate the malicious behavior of malware from the normal behavior of applications by training a classifier based on Support Vector Machines (SVMs). Our evaluation on both simulated and real-world malware samples indicates that behavioral detection can identify current mobile viruses and worms with more than 96% accuracy. We also find that the time and resource overheads of constructing the behavior signatures from lowlevel API calls are acceptably low for their deployment in mobile devices.