space in the memory.
The beauty of the concept is that it uses physics instead of heuristics to detect malware, says Grandcolas, who is FatSkunk’s CEO. Even malware designed to hide—like the Android Trojan analyzed by Kaspersky Labs—would not be able to evade the routine scan, he says.
Another advantage to FatSkunk’s approach is that the scans are done externally. A remote server (operated by a bank or e-commerce provider) sends the instruction set to the mobile device at the outset of a pending financial transaction. This enables different financial institutions to set their own rules for cancelling or proceeding with the transaction, Grandcolas says.
“We have a ‘proof of concept’ running on a particular Samsung phone,” says Jakobsson, who is now working in San Jose, CA, as PayPal’s principal scientist for consumer security until FatSkunk raises more capital. Meanwhile, Grandcolas is overseeing FatSkunk’s operations in San Diego. While the startup still operates virtually, with fewer than four employees, FatSkunk officially moved into the EvoNexus incubator in downtown San Diego at the end of 2012, after receiving $250,000 in seed financing from Qualcomm Labs last October.
“This little piece of software is not something you download from an app store,” Grandcolas says. “It needs to be embedded, and the engineers we need to work with who know that stuff are down here at Qualcomm and ViaSat.”
In a recent phone interview, Jakobsson says he began to realize about a decade ago that the next big problem in computer security would be a flood of malware that was being engineered “to hide and to steal.” At the time, he was working as a principal research scientist at RSA Labs in Cambridge, MA, and says “the greatest struggle was that people in the field didn’t understand the magnitude of the threat.”
Amid front-page reports of intense cyber attacks on American corporations and government agencies from military bases in China, it’s clear that’s not the case any more. Still, the global market for mobile device security has yet to materialize. It remains very fragmented between software vendors, platform vendors, hardware vendors, and carriers, according to Mario de Boer of Gartner’s Security and Risk Management Strategies group.
“Although the risk of mobile device malware for most organizations is still low, malware is expected to grow as a threat,” de Boer writes in a recent e-mail. “Most market activity can be found around vendors that focus on managing the security of mobile devices (mobile device management), and managing the security of business applications on mobile devices (mobile application management and application shielding)… The large diversity of mobile platforms that mobile security solutions must support—both hardware and software—is a great challenge for building very secure—such as hardware-based—solutions for mobile devices.”
FatSkunk is just beginning to address that issue now.
Jakobsson says the next step is to extend the technology to a large number of mobile platforms besides the Samsung phone. Meanwhile, Grandcolas says he is currently raising a Series A round that is being led by ViaSat (NASDAQ: [[ticker:VSAT]]), the satellite-based communications company based in Carlsbad, CA. He expects FatSkunk’s cyber security technology will be commercially available by the end of September.
With apprehensions rising over orchestrated cyber attacks from China, Russia, and other regions, Grandcolas says, “We expect to see the entire [U.S.] financial industry held to a higher level of security, and we expect to help them do that. We honestly believe that we can put most of the malware authors on the planet out of business.”
