Method and electronic device for preventing activity of malicious application on basis of malicious application determination information obtained using artificial intelligence

WO2026151327A1PCT designated stage Publication Date: 2026-07-16INFINIGRU CORP

Patent Information

Authority / Receiving Office
WO · WO
Patent Type
Applications
Current Assignee / Owner
INFINIGRU CORP
Filing Date
2026-01-13
Publication Date
2026-07-16

AI Technical Summary

Technical Problem

Existing financial applications struggle to detect malicious apps such as voice phishing, smishing, and malware when they are not running, preventing timely alerts and security measures.

Method used

An in-app security application embedded in a mother app uses an AI model to continuously monitor and detect malicious apps, transmitting notifications through an in-app server and mother app server even when the mother app is deactivated, utilizing a scheduler and communication protocols to provide real-time alerts.

Benefits of technology

Ensures continuous detection and notification of malicious apps, safeguarding users from voice phishing and other threats without requiring the mother app to be active, enhancing security and user protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure KR2026000706_16072026_PF_FP_ABST
    Figure KR2026000706_16072026_PF_FP_ABST
Patent Text Reader

Abstract

Provided is a method by which an electronic device uses an artificial intelligence (AI) model for malicious application detection so as to detect a malicious application and output a notification. The method comprises the steps of: transmitting, while a host application installed on the electronic device is inactive, information about a new application for the electronic device to a server of an in-app that is embedded in the host application in a library form; receiving, from a server of the host application, voice phishing notification information generated on the basis of detection information indicating that the new application is a malicious application; and outputting the voice phishing notification information while the host application is inactive, wherein: the information about the new application includes information about the category of the new application and information about application permissions required by the new application; and the detection information is generated in the server of the in-app by using a malicious application detection AI model on the basis of the information about the new application and can be transmitted from the server of the in-app to the server of the host application.
Need to check novelty before this filing date? Find Prior Art

Description

Method and electronic device for preventing malicious app activity based on malicious app identification information using artificial intelligence

[0001] The present disclosure relates to an electronic device and method for detecting a voice phishing app (malicious app) based on an always-on detection function and transmitting a voice phishing notification to a user, in an in-app security application embedded in a mother app such as a financial application, even when the mother app is not running.

[0002] With the widespread adoption of smartphones, the use of financial applications is increasing. These financial applications are equipped in the form of in-app security applications designed to protect users' personal information and assets, providing security features such as malware detection through the in-app.

[0003] However, if the financial application acting as the mother app is not running, it is difficult to detect malicious apps such as voice phishing, smishing, malware, and hacking apps through in-app security applications. Furthermore, if the mother app is not running, it is difficult to provide voice phishing alerts to the smartphone user through the mother app even if a malicious app is detected.

[0004] Therefore, a method is needed to detect malicious apps and provide voice phishing alerts to smartphone users even when the mother app is not running.

[0005] The problem that the present disclosure aims to solve is to provide a device and method capable of detecting voice phishing, smishing, malicious app installation, app tampering, etc., and providing notifications by executing a continuous detection function using an in-app malicious app detection AI model based on a scheduler, etc., embedded in the OS of the electronic device, even if the user of the electronic device does not run a mother app such as a financial application.

[0006] The problems to be solved in this disclosure are not limited to those mentioned above, and other unmentioned technical problems will be clearly understood by those skilled in the art from the description in this specification.

[0007] According to one aspect of the present disclosure, a method may be provided in which an electronic device detects a malicious app and outputs a notification using an artificial intelligence (AI) model for detecting a malicious app. The method performed by the electronic device may include the steps of: transmitting information about a new app of the electronic device to an in-app server embedded in the mother app in the form of a library while the mother app installed on the electronic device is deactivated; receiving voice phishing notification information generated from the server of the mother app based on detection information that the new app is a malicious app; and outputting the voice phishing notification information while the mother app is deactivated. The information about the new app may include information about the category of the new app and information about the required app permissions, and the detection information may be generated using a malicious app detection AI model based on the information about the new app on the server of the in-app and transmitted from the server of the in-app to the server of the mother app.

[0008] According to one aspect of the present disclosure, an electronic device may be provided that detects a malicious app and outputs a notification using an artificial intelligence (AI) model for detecting a malicious app. The electronic device comprises a communication unit, a memory storing one or more instructions, and one or more processors that execute the one or more instructions stored in the memory. By executing the one or more instructions, the one or more processors may transmit information regarding a new app of the electronic device to an in-app server embedded in the mother app in the form of a library, while the mother app installed on the electronic device is in a deactivated state, receive voice phishing notification information generated based on detection information that the new app is a malicious app from the server of the mother app, and output the voice phishing notification information while the mother app is in a deactivated state. The information regarding the new app may include information regarding the category of the new app and information regarding app permissions required by the new app. The detection information may be generated using a malicious app detection AI model based on the information regarding the new app at the server of the in-app and transmitted from the server of the in-app to the server of the mother app.

[0009] According to one aspect of the present disclosure, a method may be provided in which a voice phishing prevention system detects a malicious app and outputs a notification using an artificial intelligence (AI) model for detecting a malicious app. The voice phishing prevention system may include an electronic device, an in-app server, and a mother app server. A voice phishing prevention system transmits information regarding a new app of the electronic device to an in-app server embedded in the mother app in the form of a library, while the mother app installed on the electronic device is deactivated; the in-app server generates detection information indicating that the new app is a malicious app using a malicious app detection AI model based on the information regarding the new app; the in-app server transmits the detection information to the mother app server; the mother app server generates voice phishing notification information based on the detection information; the mother app server transmits the generated voice phishing notification information to the electronic device; and while the mother app is deactivated, the electronic device outputs the voice phishing notification information; and the information regarding the new app may include information regarding the category of the new app and information regarding the app permissions required by the new app.

[0010] According to one aspect of the present disclosure, an electronic device may provide a computer-readable recording medium having a program recorded thereon for executing any one of the methods described above and below.

[0011] According to the disclosed embodiment, even if the mother app is not activated, malicious apps can be detected and notifications provided by utilizing artificial intelligence based on the in-app.

[0012] FIG. 1 is a drawing for explaining an electronic device that notifies of voice phishing through constant app detection according to one embodiment of the present disclosure.

[0013] FIG. 2 is a diagram illustrating an in-app server for detecting malicious apps according to one embodiment of the present disclosure.

[0014] FIG. 3 is a flowchart illustrating the operation of an electronic device according to one embodiment of the present disclosure detecting a malicious app and outputting a notification.

[0015] FIG. 4 is a signal flow diagram between an electronic device, an in-app server, and a mother app server for a method of detecting a malicious app and outputting a notification according to one embodiment of the present disclosure.

[0016] FIG. 5 is a signal flow diagram between an electronic device, an in-app server, a mother app server, and a second financial company server in a method for detecting a malicious app and outputting a notification according to one embodiment of the present disclosure.

[0017] FIG. 6 is a block diagram illustrating the configuration of an electronic device according to one embodiment of the present disclosure.

[0018] FIG. 7 is a block diagram illustrating the configuration of an in-app server according to one embodiment of the present disclosure.

[0019] Hereinafter, embodiments are described in detail with reference to the attached drawings. However, various modifications may be made to the embodiments, and thus the scope of the patent application is not limited or restricted by these embodiments. It should be understood that all modifications, equivalents, and substitutions to the embodiments are included within the scope of the rights.

[0020] Specific structural or functional descriptions of the embodiments are disclosed merely for illustrative purposes and may be implemented in various modified forms. Accordingly, the embodiments are not limited to the specific disclosed forms, and the scope of this specification includes modifications, equivalents, or substitutions that fall within the technical concept.

[0021] Terms such as "first" or "second" may be used to describe various components, but these terms should be interpreted solely for the purpose of distinguishing one component from another. For example, the first component may be named the second component, and similarly, the second component may be named the first component.

[0022] When it is stated that a component is "connected" to another component, it should be understood that it may be directly connected to or coupled with that other component, or that there may be other components in between.

[0023] The terms used in the embodiments are for illustrative purposes only and should not be interpreted as intended to be limiting. Singular expressions include plural expressions unless the context clearly indicates otherwise. In this specification, terms such as "comprising" or "having" are intended to indicate the existence of the features, numbers, steps, actions, components, parts, or combinations thereof described in the specification, and should be understood as not precluding the existence or addition of one or more other features, numbers, steps, actions, components, parts, or combinations thereof.

[0024] Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as generally understood by those skilled in the art to which the embodiments pertain. Terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with their meaning in the context of the relevant technology, and should not be interpreted in an ideal or overly formal sense unless explicitly defined in this application.

[0025] In addition, when describing with reference to the attached drawings, identical components are assigned the same reference numeral regardless of drawing symbols, and redundant descriptions thereof are omitted. In describing the embodiments, if it is determined that a detailed description of related prior art could unnecessarily obscure the essence of the embodiments, such detailed description is omitted.

[0026] The embodiments can be implemented in various forms of products such as personal computers, laptop computers, tablet computers, smartphones, televisions, smart home appliances, intelligent automobiles, kiosks, and wearable devices.

[0027] FIG. 1 is a drawing for explaining an electronic device that notifies of voice phishing through constant app detection according to one embodiment of the present disclosure.

[0028] In the present disclosure, 'voice phishing' may simply be referred to as 'phishing'. Furthermore, while the present disclosure describes 'voice phishing' as an example, it is not limited thereto and may be applied in the same or similar manner to various types of phishing (e.g., smishing, etc.) that may occur through an electronic device (100).

[0029] Referring to FIG. 1, the electronic device (100) may include a mother app (110) and an in app (120).

[0030] The electronic device (100) may refer to a client terminal used by a user. An application, which is software that performs specific tasks or provides functions, may be installed on the electronic device (100). In the present disclosure, the application may simply be referred to as an 'app'.

[0031] In one embodiment, a mother app may be installed on an electronic device (100). The mother app may refer to an application that is executed by the electronic device (100) in the present disclosure and provides a main service. In the present disclosure, the mother app (110) may include various types of financial apps, fintech apps, etc. that provide financial services such as banking, payment, investment, and account management.

[0032] In one embodiment, the mother app (110) may include an in-app (120). The in-app (120) may refer to an app embedded in the mother app (110) in the form of a library designed with functions capable of detecting phishing. The in-app (120) operates within the authority of the mother app (110). Therefore, the in-app (120) can perform its main functions only when the mother app (110) is activated. Activation of the mother app (110) may mean that the mother app (110) is running in a main process or in a background process. For example, when the mother app (110) is running, the in-app (120) can monitor for phishing and actively block the operation of an electronic device (100) that is determined to be at risk of phishing.

[0033] The in-app server (125) may refer to a server that operates services related to the in-app (120). The in-app server (125) may be in the form of a cloud server, may be in the form of an on-premise server operated by the company of the in-app server (125), or may be a combination of these.

[0034] The mother app server (115) may refer to a server of a client or affiliate of the company operating the in-app server (125) that receives phishing risk information from the in-app server (125). The mother app (110) may be an app that provides financial services of a financial company, and the mother app server (115) may be a server of the said financial company. The mother app server (115) may be a server that provides various financial services such as banking, payment, investment, and account management, and may be one or more. The mother app server (115) may refer collectively to, for example, 'financial server A' that provides 'A financial service' and 'financial server B' that provides 'B financial service'. The mother app server (115) may include a Fraud Detection System (FDS) server.

[0035] In one embodiment, the electronic device (100) can perform the detection of the malicious app through interaction with the in-app server (125) to block phishing early. Since the in-app (120) performs its main functions only when the mother app (110) is active, phishing detection operations by the in-app (120) cannot be performed when the mother app (110) is inactive (i.e., when the mother app is not running). Furthermore, it is not possible to prevent phishing that uses other transaction channels (e.g., ARS, Internet, ATM, bank counter, etc.) other than running the mother app (110) to conduct transactions when the malicious app is installed.

[0036] Accordingly, when the mother app (110) is deactivated, the electronic device (100) simply collects new app data through a constant detection operation for new apps and transmits the collected data to the in-app server (125) to detect whether the new app is a malicious app. Additionally, the electronic device (100) can receive and output voice phishing notification information generated by the mother app server (115) based on the malicious app detection results of the in-app server (125). Since the voice phishing notification information transmitted from the mother app server (115) can be received using various communication media, the user can check the voice phishing notification through the electronic device (100) even when the mother app (110) is deactivated.

[0037] In the following, the specific operations of the electronic device (100), the mother app server (115), and the in app server (125) will be described in more detail through the drawings and descriptions thereof.

[0038] FIG. 2 is a diagram illustrating an in-app server for detecting malicious apps according to one embodiment of the present disclosure.

[0039] In one embodiment, the in-app server (125) may include an AI model (200) for detecting malicious apps. The malicious app detection AI model (200) may include a learning unit (210) for learning malicious app data and a judgment unit (220) for determining whether a new app is a malicious app. The judgment unit (220) may be an artificial neural network model that receives information about an app and determines whether the app is a malicious app. Artificial neural network models such as DNN (deep neural network), CNN (convolutional neural network), and RNN (recurrent neural network) may be used as the artificial neural network model of the judgment unit (220), and may be a model based on a generative AI model based on LLM (large language model), GAN (generative adversarial network), VAE (variational autoencoder), etc., but is not limited thereto.

[0040] In one embodiment, the malicious app detection AI model (200) may be a model that has been pre-trained based on app attribute data for one or more apps. The app attribute data for one or more apps may include pre-built data. Additionally, the detection result from the malicious app detection AI model (200) may be used as training data as feedback data. The training unit (210) of the malicious app detection AI model (200) may receive app attribute data for one or more apps as training data and train the judgment unit (220). The app attribute data may include information regarding the app category, whether the app is a malicious app, the type of malicious app corresponding to the app, and the app permissions required by the app for each app. The app category indicates what kind of app the app is, and the app category may be divided into financial apps, game apps, productivity apps, music apps, etc. The app category may be classified into categories classified by the app market. The types of malicious apps may include voice phishing apps, backdoor apps, spyware, ransomware, etc. The app permissions required by an app refer to the authorization for the app to access the device's hardware, files, and various information in order to perform its functions, and may include authorization for functions such as the camera, address book, location, microphone, files, photos and videos, and phone.

[0041] In one embodiment, the learning unit (210) can learn app attribute data for one or more apps using a supervised learning method, thereby enabling the judgment unit (220) to determine which app category a malicious app belongs to and which app permissions it requests for each type of malicious app. Through this learning, the judgment unit (220) can determine whether an app is a malicious app based on information regarding the app's category and the app permissions it requests, and further determine what type of malicious app it is. Generally, a malicious app for a financial app may have the app's category as a financial app and may request permissions such as file access permissions, camera access permissions, and address book access permissions that are not required by financial apps for operations such as voice phishing or backdoors. Therefore, a malicious app for a financial app may request app permissions different from those of an actual financial company's financial app, and this can be used to determine whether it is a malicious app. The learning unit (210) can learn all attribute data of apps that are not malicious apps and apps that are malicious apps to distinguish these differences, and can train the judgment unit (220) to determine which apps are malicious based on the learning results.

[0042] In one embodiment, the in-app server (125) can detect whether a new app is a malicious app by using an AI model (200) for malicious app detection based on information about a new app received from an electronic device (100). The electronic device (100) can obtain information about the category of the new app and information about the app permissions required by the new app from the APK (android application package) file of the new app. The AI ​​model (220) for malicious app detection of the in-app server (125) can determine whether the new app is a malicious app and, if it is a malicious app, what type of malicious app it is, based on information about the category of the new app and information about the app permissions required by the new app.

[0043] In one embodiment, if the in-app server (125) determines that a new app is a malicious app, it may generate detection information that the new app is a malicious app based on the detection result. The detection information that the new app is a malicious app may include information for identifying the new app, information on whether the new app is a malicious app, information on the type of malicious app corresponding to the new app, and information on users registered in the mother app (110).

[0044] In one embodiment, the in-app server (125) can transmit the generated detection information to the mother app server (115). By receiving the detection information from the in-app server (125), the mother app server (115) can obtain information regarding whether a new app of the electronic device (100) is a malicious app even when the mother app (110) is disabled.

[0045] FIG. 3 is a flowchart illustrating the operation of an electronic device according to one embodiment of the present disclosure detecting a malicious app and outputting a notification.

[0046] In step 310, the electronic device (100) can transmit information about a new app to the in-app (120) server while the mother app (110) is disabled.

[0047] In one embodiment, the electronic device (100) may register a new app detection task to be executed at a preset interval in the operating system scheduler of the electronic device. A new app may refer to an application newly added to the electronic device (100). The addition of a new app may refer to the new app being installed on the electronic device (100) or the installation file of the new app (e.g., an APK file, an APK file included in a zip file) being downloaded to the electronic device (100). In this case, apps downloaded from an authorized application download store (e.g., Google Play Store) may be excluded from the new app detection target. There may be one or more new apps. The new app detection task may be configured to be executed only when the mother app (110) is disabled. When the mother app (110) is enabled, an in-app (120) embedded in the mother app (110) may operate to perform a malicious app detection function for the new app.

[0048] In one embodiment, the electronic device (100) can obtain new app information by executing a new app detection task at a preset interval while the mother app (110) is disabled. In one embodiment, the preset interval may be an interval of 15 minutes or more and less than 20 minutes. However, it is not limited thereto and may be set to a time of 20 minutes or more. In one embodiment, the preset interval may be set differently depending on the time of day. For example, a first interval may be applied during the time period when the user of the electronic device (100) mainly uses the electronic device (100) (e.g., 8:00 AM to 10:00 PM), and a second interval may be applied during the remaining time periods. The first interval may be a shorter time interval than the second interval. The new app information may include meta information of the application installation file (e.g., APK file) of the new app. The meta information may include the app's identification information, components, permissions, version, build information, signature, etc., but is not limited thereto.

[0049] In one embodiment, the electronic device (100) can transmit information about the acquired new app to an in-app server (125). The information about the acquired new app can be transmitted at preset intervals and can include all information about the new app collected at each interval.

[0050] In step 320, the electronic device (100) can receive voice phishing notification information generated from the mother app server (115) based on detection information that the new app is a malicious app.

[0051] In one embodiment, the in-app server (125) can detect whether a new app is a malicious app based on information about a new app received from an electronic device (100). The in-app server (125) can detect whether a new app is a malicious app based on information about the category of the new app included in the information about the new app and app permission information required by the new app, using a malicious app detection AI model (200).

[0052] In one embodiment, the in-app server (125) may generate detection information indicating that the new app is a malicious app based on a detection result indicating that the new app is a malicious app. The detection information may include information for identifying the new app, information regarding whether the new app is a malicious app, and information regarding the type of malicious app corresponding to the new app. The types of malicious apps may include voice phishing apps, backdoor apps, spyware, ransomware, etc. Additionally, the detection information may include information regarding a user registered in the mother app (110). The information regarding the user may include user identification information (e.g., name, resident registration number, ID, etc.), user identification information regarding a communication medium (e.g., phone number, SNS ID, email address, etc.), information about the financial company to which the user is registered, etc.

[0053] In one embodiment, the in-app server (125) may transmit detection information that a new app is a malicious app to the mother app server (115). In one embodiment, to communicate with the FDS server, which is the mother app server (115), the in-app server (125) may use communication using an Open Application Programming Interface (OPEN API), communication using a Virtual Private Network (VPN), or communication using a built-in dedicated network. In one embodiment, if there are multiple mother apps (110) in which the in-app (120) is embedded, the in-app server (125) may transmit detection information that a new app is a malicious app to all of the multiple mother app servers (115). For example, if 'In-app A' and 'In-app B' provided by the in-app server (125) are respectively embedded in 'Financial App A' and 'Financial App B', then both 'Financial App A' and 'Financial App B' may be referred to as mother apps. In this case, the in-app server (125) can transmit detection information to both the server of financial app A and the server of financial app B. In another embodiment, even if there are multiple mother apps (110) in which the in-app (120) is embedded, the in-app server (125) can transmit detection information only to the server of the main mother app among the multiple mother apps. The multiple mother app servers that receive the detection information can each perform operations based on the detection information described below.

[0054] In one embodiment, the mother app server (115) may generate voice phishing notification information based on detection information received from the in-app server (125). The voice phishing notification information may be a notification for the mother app server (115) to warn a user of an electronic device (100) registered in the mother app (110) of voice phishing caused by a malicious app. The voice phishing notification information may include information about a user registered in the mother app (110), information about a malicious app, and information that financial services for said user by a financial company associated with the mother app (110) have been blocked. The information about a user registered in the mother app (110) may include information for identifying the user (e.g., name, first digits of resident registration number, mother app ID, etc.). The information about a malicious app may include information related to the malicious app included in the detection information. For example, the information about a malicious app may include information for identifying a new app, information on whether the new app is a malicious app, and information on the type of malicious app corresponding to the new app. In one embodiment, the mother app (110) may be an app that provides financial services of a first financial company, and the financial company associated with the mother app (110) may include the first financial company. Additionally, the financial company associated with the mother app (110) may include an affiliate or subsidiary that provides financial services in association with the first financial company. The first financial company or the financial company associated therewith may block financial services for a user of an electronic device (100) registered in the mother app (110) based on malicious app detection information received from the mother app server (115). Financial services for the user may include, but are not limited to, mobile banking, internet banking, ATM (automated teller machine) financial services, bank counter transaction services, etc.The information that financial services for a user included in the voice phishing notification information have been blocked may include information about financial services blocked by a financial company associated with the mother app (110) (e.g., information about blocking mobile banking, internet banking services). In one embodiment, the voice phishing notification information may further include information regarding a method to unblock financial services for a user registered in the mother app (110). For example, a mobile link, an internet link, a phone number, etc., for unblocking financial services may be included.

[0055] In one embodiment, the mother app server (115) can transmit generated voice phishing notification information to the electronic device (100). The mother app server (115) can transmit the voice phishing notification information to the electronic device (100) via at least one communication medium among text messages, SNS (social network service) messages, telephone, and email. Depending on the communication medium used for transmission, the voice phishing notification information may be delivered to the electronic device (100) in the form of text, voice, etc. For example, when the voice phishing notification information is transmitted as a text message, the voice phishing notification information may include, in the form of text, information about a user registered in the mother app (110), information about a malicious app, and information that financial services for said user at a financial company associated with the mother app (110) have been blocked. In one embodiment, when the voice phishing notification information is transmitted via telephone, the voice phishing notification information may be generated and delivered as voice.

[0056] In one embodiment, the communication medium through which voice phishing notification information is transmitted may be determined based on user identification information for at least one communication medium included in the information regarding a user registered in the mother app (110). The information regarding a user registered in the mother app (110) may include user identification information regarding the communication medium used by the user. For example, the user's phone number, SNS ID, email address, etc. may be included. The mother app server (115) may determine the communication medium to transmit voice phishing notification information based on the user identification information regarding the user's communication medium. In one embodiment, the mother app server (115) may decide to transmit voice phishing notification information through all communication media having identification information, and may determine the priority of the determined communication media and decide to sequentially transmit the voice phishing notification information to the electronic device (100) according to the priority.

[0057] In step 330, the electronic device (100) can output voice phishing notification information while the mother app (110) is deactivated. When the voice phishing notification information is received, the electronic device (100) outputs a notification that the voice phishing notification information has been received, and can output the voice phishing notification information according to the input of the user of the electronic device (100) confirming the voice phishing notification information. For example, if the electronic device (100) receives a voice phishing notification via text message, it outputs a notification that the text message has been received, and when the user opens the text message, the voice phishing notification information can be output in text form. In one embodiment, when the mother app (110) is activated, the electronic device (100) can also output the voice phishing notification information through a pop-up message of the mother app (110).

[0058] In one embodiment, the electronic device (100) may determine whether a user registered in the mother app (110) has checked the voice phishing notification information in response to a notification that voice phishing notification information has been received. For example, the electronic device (100) may determine that the user has checked the voice phishing notification information if the user performs an input to check the voice phishing notification information in response to a notification that voice phishing notification information has been received. Based on the determination that the user has not checked the voice phishing notification information, the electronic device (100) may transmit information that the user has not checked the voice phishing notification information to the mother app server (115). The information that the user has not checked the voice phishing notification information may include information about the communication medium through which the voice phishing notification information that the user has not checked was transmitted. Based on the information that the user has not checked the voice phishing notification information, the mother app server (115) may transmit the voice phishing notification information to the electronic device (100) using a second communication medium other than the first communication medium through which the user has not checked the voice phishing notification information that the user has not checked was transmitted. The electronic device (100) can output voice phishing notification information received from the mother app server (115) to a second communication medium.

[0059] In one embodiment, if the new app detected as a malicious app is not installed, the electronic device (100) can block the installation of the new app by modifying the attribute information of the APK file of the new app detected as a malicious app based on voice phishing notification information. For example, the electronic device (100) can modify the attribute information for the installation of the new app in the APK file so that installation is impossible using the APK file of the new app.

[0060] As described above, the electronic device (100) can detect whether a new app is a malicious app at all times through the in-app (120) and in-app server (125) even when the mother app (110) is deactivated, and receives voice phishing notification information including the detection results of the in-app server (125) through the mother app server (115) via various communication media, thereby detecting a malicious app regardless of the deactivation of the mother app (110) and providing a notification to the user, so as to prevent voice phishing more effectively.

[0061] FIG. 4 is a signal flow diagram between an electronic device and a mother app server according to one embodiment of the present disclosure.

[0062] FIG. 4 is a signal flow diagram corresponding to a flowchart for explaining the operation of the electronic device (100) of FIG. 3, and describes the signal flow between the electronic device (100), the in-app server (125), and the mother app server (115). Repetitive descriptions of steps in FIG. 4 that correspond to the steps of FIG. 3 are omitted.

[0063] In step 401, the electronic device (100) can obtain information about a new app while the mother app (110) is disabled.

[0064] In step 402, the electronic device (100) can transmit information about the acquired new app to the in-app server (125).

[0065] In step 403, the in-app server (125) can detect whether a new app is a malicious app based on information about the new app received from the electronic device (100). Based on the detection result that the new app is a malicious app, the in-app server (125) can generate malicious app detection information. If the in-app server (125) determines that the new app is not a malicious app, it can continue the detection operation without generating detection information.

[0066] In step 404, the in-app server (125) can transmit detection information to the mother app server (115) that the new app created in step 403 is a malicious app.

[0067] In step 405, the mother app server (115) can generate voice phishing notification information based on malicious app detection information received from the in-app server (125). The voice phishing notification information may include information about a user registered in the mother app (110), information about a malicious app, and information that financial services for said user at a financial company associated with the mother app (110) have been blocked.

[0068] In step 406, the mother app server (115) can transmit voice phishing notification information to the electronic device (100). The mother app server (115) can transmit voice phishing notification information to the electronic device (100) through at least one communication medium among text message, SNS (social network service) message, telephone, and email.

[0069] In step 407, the electronic device (100) can output voice phishing notification information received from the mother app server (115). The electronic device (100) can output voice phishing notification information when the mother app (110) is disabled, and can output information in a manner corresponding to the communication medium to which the voice phishing notification information was transmitted.

[0070] The electronic device (100), in-app server (125), and mother-app server (115) of FIG. 4 can form a voice phishing prevention system, and their operations can be seen as a series of data processing operations designed by a single entity using software as the operation of the voice phishing prevention system.

[0071] FIG. 5 is a signal flow diagram between an electronic device, an in-app server, a mother app server, and a second financial company server according to one embodiment of the present disclosure.

[0072] In one embodiment, the mother app (110) may be an app that provides financial services of a first financial company, and the mother app server (115) may be a server of the first financial company. The mother app server (115) may share malicious app detection information with the servers of the first financial company and other financial companies, and receive financial service blocking information regarding users registered in the mother app (110) from the servers of other financial companies to generate voice phishing notification information. Hereinafter, with reference to FIG. 5, the signal flow between the electronic device (100), the in-app server (125), the mother app server (115), and the second financial company server (135) will be described in detail. However, a repeated description of the steps in FIG. 5 that correspond to the steps in FIG. 3 and FIG. 4 will be omitted.

[0073] In step 501, the electronic device (100) can obtain information about a new app while the mother app (110) is disabled.

[0074] In step 502, the electronic device (100) can transmit information about the acquired new app to the in-app server (125).

[0075] In step 503, the in-app server (125) can detect whether a new app is a malicious app based on information about the new app received from the electronic device (100).

[0076] In step 504, the in-app server (125) can transmit detection information to the mother app server (115) that the new app created in step 403 is a malicious app.

[0077] In step 505, the mother app server (115) (first financial company server) can transmit malicious app detection information received from the in-app server (125) to the second financial company server (135). Here, the second financial company may be a different financial company from the first financial company. By sharing the malicious app detection information received from the in-app server (125) with the second financial company server (135), the mother app server (115) can enable the second financial company server (135) to block financial services provided by the second financial company to users registered in the mother app (110) based on the malicious app detection information. The second financial company server (135) can block financial services provided by the second financial company to the relevant users based on the information regarding users registered in the mother app (110) and the information regarding the malicious app included in the malicious app detection information. Based on malicious app detection information, the financial service blocking operation of the second financial company server (135) may be similar to that of the mother app server (115) (first financial company server). In one embodiment, the second financial company may include a plurality of financial companies.

[0078] In step 506, the second financial company server (135) can transmit information to the mother app server (115) that the financial services of the second financial company for a user registered in the mother app (110) have been blocked. The second financial company server (135) can generate information about the blocked financial services for a user registered in the mother app (110) and share this information with the mother app server (115). If there are no financial services provided by the second financial company to a user registered in the mother app (110) (i.e., the user is not registered in the second financial company), the second financial company server (135) may not generate information about the blocked financial services and may not transmit it to the mother app server (115).

[0079] In step 507, the mother app server (115) can generate voice phishing notification information based on malicious app detection information received from the in-app server (125) and financial service blocking information received from the second financial company server (135). The mother app server (115) can generate voice phishing notification information based on malicious app detection information received from the in-app server (125) and add financial service blocking information received from the second financial company server (135) to the generated voice phishing notification information. That is, the mother app server (115) can generate voice phishing notification information by additionally including information that the financial service of the second financial company for the user has been blocked, along with the financial service blocking information of the first financial company for the user registered in the mother app (110).

[0080] In step 508, the mother app server (115) can transmit the voice phishing notification information generated in step 507 to the electronic device (100).

[0081] In step 509, the electronic device (100) can output voice phishing notification information received from the mother app server (115).

[0082] According to one embodiment, by sharing malicious app detection information with the second financial company server (135) of the mother app server (115), financial services of the second financial company different from the first financial company are blocked for users registered in the mother app (110), and voice phishing notification information is generated and output through the electronic device (100), thereby effectively preventing voice phishing and providing voice phishing notifications to the user.

[0083] FIG. 6 is a block diagram illustrating the configuration of an electronic device according to one embodiment of the present disclosure.

[0084] Referring to FIG. 6, an electronic device (100) according to one embodiment may include a communication unit (610), a memory (620), and a processor (630).

[0085] The communication unit (610) can communicate with the in-app server (125) or the mother app server (115) under the control of the processor (630).

[0086] The communication unit (610) may include a communication circuit module for performing wired and wireless communication. Wired communication may include Ethernet. Wireless communication may include Wi-Fi (Wireless Fidelity), LTE (Long-Term Evolution), 5G (Fifth Generation), and satellite communication.

[0087] The communication unit (610) can transmit and receive data to and from the mother app server (115) and / or the in app server (125) for the electronic device (100) to perform the operation of detecting a malicious app and outputting a notification. For example, the communication unit (610) can transmit and receive new app information, voice phishing notification information, etc., to and from the mother app server (115) and / or the in app server (125).

[0088] Memory (620) may store instructions, data structures, and program code that can be read by the processor (630). Operations performed by the processor (630) may be implemented by executing the instructions or code of the program stored in memory (620).

[0089] The memory (620) may include a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (e.g., SD or XD memory, etc.), a non-volatile memory including at least one of ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, a magnetic disk, and an optical disk, and a volatile memory such as RAM (Random Access Memory) or SRAM (Static Random Access Memory).

[0090] A memory (620) according to one embodiment may store one or more instructions, programs, or applications that cause the electronic device (100) to operate to perform a phishing prevention operation. For example, a mother app (110) including an in-app (120) may be stored in the memory (620).

[0091] The processor (630) can control the overall operations of the electronic device (100). For example, the processor (630) can control the overall operations of the electronic device (100) to detect a malicious app and output a notification by executing one or more instructions stored in memory (620). There may be one or more processors (630).

[0092] The processor (630) may include, for example, at least one of a Central Processing Unit, a microprocessor, a Graphic Processing Unit, ASICs (Application Specific Integrated Circuits), and an Application Processor, but is not limited thereto.

[0093] By executing one or more instructions stored in memory (620), the processor (630) can transmit information about a new app of the electronic device (100) to the server of an in-app (120) embedded in the mother app (110) in the form of a library through the communication unit (610) while the mother app (110) installed on the electronic device (100) is in a deactivated state. By executing one or more instructions stored in memory (620), the processor (630) can receive voice phishing notification information generated based on detection information that the new app is a malicious app from the server (115) of the mother app through the communication unit (610). By executing one or more instructions stored in memory (620), the processor (630) can output voice phishing notification information while the mother app (110) is in a deactivated state. Since the operations of the processor (630) have been described in detail in the previous drawings, a repetitive description is omitted.

[0094] FIG. 7 is a block diagram illustrating the configuration of an in-app server according to one embodiment of the present disclosure.

[0095] Referring to FIG. 7, an in-app server (125) according to one embodiment may include a communication unit (710), a memory (720), and a processor (730).

[0096] The communication unit (710) can communicate with the electronic device (100) or the mother app server (115) under the control of the processor (730).

[0097] The communication unit (710) may include a communication circuit module for performing wired and wireless communication. Wired communication may include Ethernet. Wireless communication may include Wi-Fi (Wireless Fidelity), LTE (Long-Term Evolution), 5G (Fifth Generation), and satellite communication.

[0098] The communication unit (710) can transmit and receive data to and from the electronic device (100) and / or the mother app server (115) for the in-app server (125) to perform an action to detect a malicious app and transmit the result. For example, the communication unit (610) can transmit and receive new app information, detection information, etc., to and from the electronic device (100) and / or the mother app server (115).

[0099] The memory (720) may store instructions, data structures, and program code that can be read by the processor (730). Operations performed by the processor (730) may be implemented by executing the instructions or code of the program stored in the memory (720).

[0100] The memory (720) may include a flash memory type, a hard disk type, a multimedia card micro type, a card type memory (e.g., SD or XD memory, etc.), a non-volatile memory including at least one of ROM (Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), PROM (Programmable Read-Only Memory), magnetic memory, a magnetic disk, and an optical disk, and a volatile memory such as RAM (Random Access Memory) or SRAM (Static Random Access Memory).

[0101] A memory (720) according to one embodiment may store one or more instructions, programs, or applications that enable the in-app server (125) to perform an operation to detect a malicious app and transmit a result. For example, a malicious app detection AI model (200) may be stored in the memory (720).

[0102] The processor (730) can control the overall operations of the in-app server (125). For example, the processor (730) can control the overall operations of the in-app server (125) to perform actions to detect a malicious app and transmit a result by executing one or more instructions stored in memory (720). There may be one or more processors (730).

[0103] The processor (730) may include, for example, at least one of a Central Processing Unit, a microprocessor, a Graphic Processing Unit, ASICs (Application Specific Integrated Circuits), and an Application Processor, but is not limited thereto.

[0104] The processor (730) can receive information about a new app from the electronic device (100) through the communication unit (710) by executing one or more instructions stored in memory (720), determine whether the new app is a malicious app based on the information about the new app, generate detection information that the new app is a malicious app, and transmit the detection information to the mother app server (115) through the communication unit (710). Since the operations of the processor (730) have been described in detail in the previous drawings, a repetitive description is omitted.

[0105] The embodiments described above may be implemented as hardware components, software components, and / or combinations of hardware and software components. For example, the devices, methods, and components described in the embodiments may be implemented using one or more general-purpose or special-purpose computers, such as, for example, a processor, a controller, an arithmetic logic unit (ALU), a digital signal processor, a microcomputer, a field programmable gate array (FPGA), a programmable logic unit (PLU), a microprocessor, or any other device capable of executing and responding to instructions. The processing unit may execute an operating system (OS) and one or more software applications executed on said operating system. Additionally, the processing unit may access, store, manipulate, process, and generate data in response to the execution of the software. For ease of understanding, the processing unit may be described as being used as a single unit, but those skilled in the art will understand that the processing unit may include multiple processing elements and / or multiple types of processing elements. For example, the processing unit may include multiple processors or one processor and one controller. Additionally, other processing configurations, such as parallel processors, are also possible.

[0106] The method according to the embodiment may be implemented in the form of program instructions that can be executed through various computer means and recorded on a computer-readable medium. The computer-readable medium may include program instructions, data files, data structures, etc., either alone or in combination. The program instructions recorded on the medium may be those specifically designed and configured for the embodiment, or they may be those known and available to those skilled in the art of computer software. Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks, and magnetic tapes; optical recording media such as CD-ROMs and DVDs; magneto-optical media such as floptical disks; and hardware devices specifically configured to store and execute program instructions, such as ROM, RAM, and flash memory. Examples of program instructions include machine code, such as that generated by a compiler, as well as high-level language code that can be executed by a computer using an interpreter, etc. The hardware devices described above may be configured to operate as one or more software modules to perform the operation of the embodiment, and vice versa.

[0107] Software may include computer programs, code, instructions, or a combination of one or more of these, and may configure a processing unit to operate as desired or command the processing unit independently or collectively. Software and / or data may be permanently or temporarily embodied in any type of machine, component, physical device, virtual equipment, computer storage medium or device, or transmitted signal wave so as to be interpreted by the processing unit or to provide instructions or data to the processing unit. Software may be distributed over networked computer systems and may be stored or executed in a distributed manner. Software and data may be stored on one or more computer-readable recording media.

[0108] Although the embodiments have been described above with reference to the limited drawings, those skilled in the art can apply various technical modifications and variations based on the above. For example, suitable results may be achieved even if the described techniques are performed in a different order than described, and / or if the components of the described system, structure, device, circuit, etc. are combined or assembled in a form different from described, or replaced or substituted by other components or equivalents.

[0109] Therefore, other implementations, other embodiments, and equivalents to the claims also fall within the scope of the claims set forth below.

Claims

1. A method for an electronic device to detect a malicious app and output a notification using an AI (artificial intelligence) model for detecting a malicious app, wherein A step of transmitting information about a new app of the electronic device to a server of an in-app embedded in the mother app in the form of a library, while the mother app installed on the electronic device is in a deactivated state; A step of receiving voice phishing notification information generated from the server of the mother app based on detection information that the new app is a malicious app; and The method includes the step of outputting the voice phishing notification information while the above mother app is disabled, and The information regarding the new app above includes information regarding the category of the new app and information regarding the app permissions required by the new app, and The above detection information is generated by using a malicious app detection AI model based on information about the new app on the server of the in-app, and transmitted from the server of the in-app to the server of the mother app. method.

2. In claim 1, the malicious app detection AI model is, It is a model that has been pre-trained based on app attribute data for one or more apps, and The above app attribute data includes, for each app, information regarding the category of the app, whether the app is a malicious app, the type of malicious app corresponding to the app, and the app permissions required by the app. method.

3. In Paragraph 1, The method further includes the step of obtaining information regarding the category of the new app and information regarding the app permissions required by the new app from the APK (android application package) file of the new app. method.

4. In Paragraph 1, If the above new app is not installed, the method further includes the step of blocking the installation of the above new app by modifying the attribute information of the APK file of the above new app based on the above voice phishing notification information. method.

5. In claim 1, the voice phishing notification information is, That which is received through at least one communication medium among text messages, SNS (social network service) messages, telephone, and email, method.

6. In claim 5, the above at least one communication medium is, Determined based on user identification information for at least one communication medium included in the information about the user registered in the above-mentioned mother app, method.

7. In Paragraph 5, A step of outputting a notification that the above voice phishing notification information has been received; A step of determining whether a user registered in the mother app has checked the voice phishing notification information in response to the above notification; A step of transmitting information to the server of the mother app that the user has not checked the voice phishing notification information based on a determination that the user has not checked it; A method further comprising the step of receiving voice phishing notification information from the server of the mother app using a communication medium other than the communication medium in which the voice phishing notification information was received. method.

8. In claim 1, the voice phishing notification information is, The invention includes information about a user registered in the mother app, information about the malicious app, and information that financial services for the user of a financial company associated with the mother app have been blocked. method.

9. In Paragraph 8, the financial services for the said user are, Includes at least one of mobile banking, internet banking, ATM (automated teller machine) financial services, or bank counter transaction services. method.

10. In claim 1, the detection information is, The method comprises information for identifying the new app, information on whether the new app is a malicious app, information on the type of malicious app corresponding to the new app, and information on users registered in the mother app. method.

11. In Paragraph 10, The above-mentioned mother app is an app that provides financial services of the first financial company, and The above detection information is transmitted from the server of the mother app to the server of the second financial company, method.

12. In claim 11, the voice phishing notification information is, It further includes information that the financial services of the second financial company for the user registered in the above mother app have been blocked, and The information that the financial services of the second financial company are blocked is transmitted from the server of the second financial company to the server of the mother app. method.

13. In Paragraph 1, The method further includes the step of outputting the voice phishing notification information through a pop-up message of the mother app when the mother app is activated. method.

14. In claim 1, the step of transmitting information regarding the new app to the server of the in-app is, A step of registering a new app detection task to be executed at a preset interval in the operating system scheduler of the electronic device; A step of obtaining information about a new app at the interval while the above mother app is deactivated; and A step comprising transmitting information about the newly acquired app to the server of the in-app. method.

15. An electronic device that detects a malicious app and outputs a notification using an AI (artificial intelligence) model for detecting a malicious app, Communications Department; Memory for storing one or more instructions; and It includes one or more processors that execute one or more instructions stored in the memory, and The above one or more processors, by executing the above one or more instructions, When the mother app installed on the electronic device is deactivated, information about a new app of the electronic device is transmitted to the server of an in-app embedded in the mother app in the form of a library, and Receiving voice phishing notification information generated from the server of the above mother app based on detection information that the above new app is a malicious app, and When the above mother app is disabled, the above voice phishing notification information is displayed, and The information regarding the new app above includes information regarding the category of the new app and information regarding the app permissions required by the new app, and The above detection information is generated using a malicious app detection AI model based on information regarding the category of the new app and information regarding the app permissions on the server of the in-app, and is transmitted from the server of the in-app to the server of the mother app. Electronic device.