Fatskunk Pioneers Security Innovation as Mobile Cybercrime Looms

In the “Spy vs. Spy” world of cyber security and malicious software, Mark Grandcolas says the bad guys usually have an advantage with the element of surprise.

The traditional approach of anti-virus software compares programs being downloaded against the known universe of malware, and determines if a snippet of code matches anything on the blacklist that is known to disrupt or co-opt a computerized system. “You hope that the good guys come up with the next new mutation before the bad guys do,” says Grandcolas, who compares conventional cyber security to an endless game of “Whack-a-mole.”

The approach has worked well enough in desktop computing, at least so far, but the transition to mobile computing makes the anti-virus paradigm increasingly untenable for smartphones and other mobile devices. Scanning every download for the telltale signatures of bad code would quickly drain battery power, and even schemes to use cloud computing would still require significant energy-draining resources on the device itself. Meanwhile, the number of smartphones is expected to soon surpass desktop computers—and mobile malware has begun to proliferate as cyber criminals with their own programming resources target e-commerce and financial transactions.

Last month, for example, researchers at Kaspersky Lab posted their analysis of the most sophisticated “Android Trojan” discovered so far—a multi-functional program that is both encrypted and hidden in the Android operating system. The malware was designed to send text messages to premium-rate numbers, download other malicious programs, spread itself via Bluetooth to other mobile devices, and execute remotely delivered commands.

Mark Grandcolas

A new security paradigm is needed, but Grandcolas says it wasn’t until he met the computer security expert Markus Jakobsson that a new approach began to take form.

The two met at Xerox PARC, the renowned research center in Palo Alto, CA, where Grandcolas was a director of business development and Jakobsson was a principal scientist. They founded FatSkunk in 2009 to advance technology Jakobsson had devised for mobile devices, using a technique known as software-based attestation to provide an alternative defense to malicious code. Jakobsson, a Swede, got his doctorate in computer science at UC San Diego, and specialized in computer security at Bell Labs and Lucent Technologies, RSA Labs, Xerox PARC, and PayPal.

FatSkunkFatSkunk’s technology uses a bit of embedded software (that would be installed in each mobile device during manufacturing) to clear the RAM and scan the memory in a way that requires the device to execute a precisely timed set of instructions. If the computation takes too long, the only explanation is that unauthorized malware is taking up space in the memory.

The beauty of the concept is that it uses physics instead of heuristics to detect malware, says Grandcolas, who is FatSkunk’s CEO. Even malware designed to hide—like the Android Trojan analyzed by Kaspersky Labs—would not be able to evade the routine scan, he says.

Another advantage to FatSkunk’s approach is that the scans are done externally. A remote server (operated by a bank or e-commerce provider) sends the instruction set to the mobile device at the outset of a pending financial transaction. This enables different financial institutions to set their own rules for cancelling or proceeding with the transaction, Grandcolas says.

“We have a ‘proof of concept’ running on a particular Samsung phone,” says Jakobsson, who is now working in San Jose, CA, as PayPal’s principal scientist for consumer security until FatSkunk raises more capital. Meanwhile, Grandcolas is overseeing FatSkunk’s operations in San Diego. While the startup still operates virtually, with fewer than four employees, FatSkunk officially moved into the EvoNexus incubator in downtown San Diego at the end of 2012, after receiving $250,000 in seed financing from Qualcomm Labs last October.

“This little piece of software is not something you download from an app store,” Grandcolas says. “It needs to be embedded, and the engineers we need to work with who know that stuff are down here at Qualcomm and ViaSat.”

In a recent phone interview, Jakobsson says he began to realize about a decade ago that the next big problem in computer security would be a flood of malware that was being engineered “to hide and to steal.” At the time, he was working as a principal research scientist at RSA Labs in Cambridge, MA, and says “the greatest struggle was that people in the field didn’t understand the magnitude of the threat.”

Amid front-page reports of intense cyber attacks on American corporations and government agencies from military bases in China, it’s clear that’s not the case any more. Still, the global market for mobile device security has yet to materialize. It remains very fragmented between software vendors, platform vendors, hardware vendors, and carriers, according to Mario de Boer of Gartner’s Security and Risk Management Strategies group.

“Although the risk of mobile device malware for most organizations is still low, malware is expected to grow as a threat,” de Boer writes in a recent e-mail. “Most market activity can be found around vendors that focus on managing the security of mobile devices (mobile device management), and managing the security of business applications on mobile devices (mobile application management and application shielding)… The large diversity of mobile platforms that mobile security solutions must support—both hardware and software—is a great challenge for building very secure—such as hardware-based—solutions for mobile devices.”

FatSkunk is just beginning to address that issue now.

Jakobsson says the next step is to extend the technology to a large number of mobile platforms besides the Samsung phone. Meanwhile, Grandcolas says he is currently raising a Series A round that is being led by ViaSat (NASDAQ: VSAT), the satellite-based communications company based in Carlsbad, CA. He expects FatSkunk’s cyber security technology will be commercially available by the end of September.

With apprehensions rising over orchestrated cyber attacks from China, Russia, and other regions, Grandcolas says, “We expect to see the entire [U.S.] financial industry held to a higher level of security, and we expect to help them do that. We honestly believe that we can put most of the malware authors on the planet out of business.”

Bruce V. Bigelow was the editor of Xconomy San Diego from 2008 to 2018. Read more about his life and work here. Follow @bvbigelow

Trending on Xconomy