Abstract
Malware has been a major problem in desktop computing for decades. With the recent trend towards mobile computing, malware is moving rapidly to smartphone platforms. “Total mobile malware has grown 151% over the past year”, according to McAfee®’s quarterly treat report in September 2016. By design, AndroidTM is “open” to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps for which combined permissions allow them to carry out attacks. In this chapter we report on recent and ongoing research results from our ACID project which suggest a number of reliable means to detect collusion, tackling the aforementioned problems. We present our conceptual work on the topic of collusion and discuss a number of automated tools arising from it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Concrete examples are available on request.
- 3.
- 4.
This assumption might produce false positives, however, never false negatives. It is left as a future work to improve this.
- 5.
- 6.
- 7.
- 8.
- 9.
All experiments are carried out on a Macbook Pro with an Intel i7 2.2 GHz quad-core processor and 16 GB of memory.
References
(2016). URL https://www.samsungknox.com/
AndroidTM Package Index. http://developer.android.com/reference/packages.html (2016)
AndroidTM Open Source Project: Dalvik Bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html (2016)
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of AndroidTM malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26, 2014. The Internet Society (2014). URL http://www.internetsociety.org/doc/drebin-effective-and-explainable-detection-android-malware-your-pocket
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for AndroidTM apps. In: ACM SIGPLAN Notices - PLDI’14, vol. 49, pp. 259–269. ACM (2014)
Asavoae, I.M., Blasco, J., Chen, T.M., Kalutarage, H.K., Muttik, I., Nguyen, H.N., Roggenbach, M., Shaikh, S.A.: Towards Automated AndroidTM App Collusion Detection. CoRR abs/1603.02308 (2016). URL http://arxiv.org/abs/1603.02308
Asavoae, I.M., Muttik, I., Roggenbach, M.: AndroidTM malware: They divide, we conquer. Bucharest, Romania (2016)
Asavoae, I.M., Nguyen, H.N., Roggenbach, M., Shaikh, S.A.: Utilising \( \mathbb{K} \) Semantics for Collusion Detection in AndroidTM Applications. In: Critical Systems: Formal Methods and Automated Verification - Joint 21st International Workshop on Formal Methods for Industrial Critical Systems and 16th International Workshop on Automated Verification of Critical Systems, FMICS-AVoCS 2016, Pisa, Italy, September 26–28, 2016, Proceedings, pp. 142–149 (2016). DOI 10.1007/978-3-319-45943-$1_1$0
Bagheri, H., Sadeghi, A., Garcia, J., Malek, S.: Covert: Compositional analysis of AndroidTM inter-app vulnerabilities. Tech. rep., Tech. Rep. GMU-CS-TR-2015-1, Department of Computer Science, George Mason University, 4400 University Drive MSN 4A5, Fairfax, VA 22030-4444 USA (2015)
Beaucamps, P., Gnaedig, I., Marion, J.: Abstraction-based malware analysis using rewriting and model checking. In: S. Foresti, M. Yung, F. Martinelli (eds.) Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10–12, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7459, pp. 806–823. Springer (2012). DOI 10.1007/978-3-642-33167-1_46. URL http://dx.doi.org/10.1007/978-3-642-33167-1_46
Blasco, J., Chen, T., Muttik, I., Roggenbach, M.: Wild AndroidTM collusions. Virus Bulletin 2016 (2016)
Blasco, J., Chen, T.M., Muttik, I., Roggenbach, M.: Efficient Detection of App Collusion Potential Using Logic Programming. IEEE Transactions on Mobile Computing (2017). arXiv:1706.02387. http://arxiv.org/abs/1706.02387
Blasco, J., Muttik, I.: AndroidTM collusion conspiracy (2015)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on AndroidTM. In: NDSS (2012)
Burket, J., Flynn, L., Klieber, W., Lim, J., Snavely, W.: Making didfail succeed: Enhancing the cert static taint analyzer for AndroidTM app sets. Tech. Rep. MSU-CSE-00-2, Software Engineering Institute, Carnegie Mellon University, Pittsburgh,USA (2015)
Canfora, G., Lorenzo, A.D., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family AndroidTM malware. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, Toulouse, France, August 24–27, 2015, pp. 333–340 (2015). DOI 10.1109/ARES.2015.57. URL http://dx.doi.org/10.1109/ARES.2015.57
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in AndroidTM. In: MobiSys’11, pp. 239–252 (2011)
Clavel, M., Duran, F., Eker, S., Lincoln, P., Martı-Oliet, N., Meseguer, J., Talcott, C.: All about Maude. LNCS 4350 (2007)
Dai, G., Ge, J., Cai, M., Xu, D., Li, W.: SVM-based malware detection for AndroidTM applications. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, New York, NY, USA, June 22–26, 2015, pp. 33:1–33:2 (2015). DOI 10.1145/2766498.2774991. URL http://doi.acm.org/10.1145/2766498.2774991
Desnos, A.: Androguard. https://github.com/androguard/androguard (2016)
Dubey, A., Misra, A.: AndroidTM Security: Attacks and Defenses. CRC Press (2013)
Elenkov, K.: AndroidTM Security Internals: An In-Depth Guide to AndroidTM’s Security Architecture. No Starch Press (2014)
Elish, K.O., Yao, D., Ryder, B.G.: On the need of precise inter-app ICC classification for detecting AndroidTM malware collusions. In: MoST (2015)
Elish, K.O., Yao, D.D., Ryder, B.G.: On the need of precise inter-app icc classification for detecting AndroidTM malware collusions. In: Proceedings of IEEE Mobile Security Technologies (MoST), in conjunction with the IEEE Symposium on Security and Privacy (2015)
Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32(2), 5 (2014)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on Computer and communications security, pp. 235–245. ACM (2009)
Enck, W., Ongtang, M., McDaniel, P.: Understanding AndroidTM security. IEEE security & privacy (1), 50–57 (2009)
Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for AndroidTM applications. EC SPRIDE, TU Darmstadt, Tech. Rep (2013)
Gasior, W., Yang, L.: Network covert channels on the AndroidTM platform. In: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, p. 61. ACM (2011)
Gasior, W., Yang, L.: Exploring covert channel in AndroidTM platform. In: Cyber Security (CyberSecurity), 2012 International Conference on, pp. 173–177 (2012). DOI 10.1109/CyberSecurity.2012.29
Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of AndroidTM applications in droidsafe. In: NDSS (2015)
Gunasekera, S.: AndroidTM Apps Security. Apress (2012)
Han, H., Chen, Z., Yan, Q., Peng, L., Zhang, L.: A real-time AndroidTM malware detection system based on network traffic analysis. In: Algorithms and Architectures for Parallel Processing - 15th International Conference, ICA3PP 2015, Zhangjiajie, China, November 18–20, 2015. Proceedings, Part III, pp. 504–516 (2015). DOI 10.1007/978-3-319-27137-8_37. URL http://dx.doi.org/10.1007/978-3-319-27137-8_37
Hardy, N.: The confused deputy:(or why capabilities might have been invented). ACM SIGOPS Operating Systems Review 22(4), 36–38 (1988)
Harley, D., Lee, A.: Antimalware evaluation and testing. In: AVIEN Malware Defense Guide. Elsevier (2007)
Huskamp, J.C.: Covert communication channels in timesharing systems. Ph.D. thesis, California Univ., Berkeley (1978)
Kalutarage, H.K., Nguyen, H.N., Shaikh, S.A.: Towards a threat assessment for apps collusion. Telecommunication Systems 1-14 (2016). doi:10.1007/s11235-017-0296-1. http://dx.doi.org/10.1007/s11235-017-0269-1
Kate, P.M., Dhavale, S.V.: Two phase static analysis technique for AndroidTM malware detection. In: Proceedings of the Third International Symposium on Women in Computing and Informatics, WCI 2015, co-located with ICACCI 2015, Kochi, India, August 10–13, 2015, pp. 650–655 (2015). DOI 10.1145/2791405.2791558. URL http://doi.acm.org/10.1145/2791405.2791558
Kim, K., Choi, M.: AndroidTM malware detection using multivariate time-series technique. In: 17th Asia-Pacific Network Operations and Management Symposium, APNOMS 2015, Busan, South Korea, August 19–21, 2015, pp. 198–202 (2015). DOI 10.1109/APNOMS.2015.7275426. URL http://dx.doi.org/10.1109/APNOMS.2015.7275426
Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: AndroidTM taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)
Krishnamoorthy, K.: Handbook of statistical distributions with applications. CRC Press (2015)
Li, L., Bartel, A., Bissyand, T., Klein, J., Le Traon, Y., Arzt, S., Siegfried, R., Bodden, E., Octeau, D., Mcdaniel, P.: IccTA: Detecting Inter-Component Privacy Leaks in AndroidTM Apps. In: Proceedings of the 37th International Conference on Software Engineering (ICSE 2015) (2015)
Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y.: ApkCombiner: Combining multiple AndroidTM apps to support inter-app analysis. In: SEC’15, pp. 513–527. Springer (2015)
Li, Q., Li, X.: AndroidTM malware detection based on static analysis of characteristic tree. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, CyberC 2015, Xi’an, China, September 17–19, 2015, pp. 84–91 (2015). DOI 10.1109/CyberC.2015.88. URL http://dx.doi.org/10.1109/CyberC.2015.88
Maji, A.K., Arshad, F., Bagchi, S., Rellermeyer, J.S., et al.: An empirical study of the robustness of inter-component communication in AndroidTM. In: Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pp. 1–12. IEEE (2012)
Marforio, C., Francillon, A., Capkun, S.: Application collusion attack on the permission-based security model and its implications for modern smartphone systems. technical report (2011)
Marforio, C., Ritzdorf, H., Francillon, A., Capkun, S.: Analysis of the communication between colluding applications on modern smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 51–60. ACM (2012)
Muttik, I.: Partners in crime: Investigating mobile app collusion. In: McAfee® Threat Report (2016)
Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in AndroidTM with epicc: An essential step towards holistic security analysis. In: USENIX Security 2013 (2013)
Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of AndroidTM apps. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 241–252. ACM (2012)
Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: Droidforce: enforcing complex, data-centric, system-wide policies in AndroidTM. In: Availability, Reliability and Security (ARES), 2014 Ninth International Conference on, pp. 40–49. IEEE (2014)
Ravitch, T., Creswick, E.R., Tomb, A., Foltzer, A., Elliott, T., Casburn, L.: Multi-app security analysis with fuse: Statically detecting AndroidTM app collusion. In: Proceedings of the 4th Program Protection and Reverse Engineering Workshop, p. 4. ACM (2014)
Ritzdorf, H.: Analyzing covert channels on mobile devices. Ph.D. thesis, ETH Zürich, Department of Computer Science (2012)
Roşu, G., Şerbănuţă, T.F.: An overview of the K semantic framework. Journal of Logic and Algebraic Programming 79(6), 397–434 (2010)
Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: AndroidTM permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)
Sbirlea, D., Burke, M., Guarnieri, S., Pistoia, M., Sarkar, V.: Automatic detection of inter-application permission leaks in AndroidTM applications. IBM Journal of Research and Development 57(6), 10:1–10:12 (2013). DOI 10.1147/JRD.2013.2284403
Schlegel, R., Zhang, K., Zhou, X.y., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: A stealthy and context-aware sound trojan for smartphones. In: NDSS’11, pp. 17–33 (2011)
Shen, S.: Setting the record straight on moplus sdk and the wormhole vulnerability. http://blog.trendmicro.com/trendlabs-security-intelligence/setting-the-record-straight-on-moplus-sdk-and-the-wormhole-vulnerability/. Accessed: 04/0/2016
Six, J.: Application Security for the AndroidTM Platform: Processes, Permissions, and Other Safeguards. O’Reilly (2011)
Song, F., Touili, T.: Model-checking for AndroidTM malware detection. In: J. Garrigue (ed.) Programming Languages and Systems - 12th Asian Symposium, APLAS 2014, Singapore, November 17–19, 2014, Proceedings, Lecture Notes in Computer Science, vol. 8858, pp. 216–235. Springer (2014). DOI 10.1007/978-3-319-12736-1_12. URL http://dx.doi.org/10.1007/978-3-319-12736-1_12
Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P.: Compartmentation policies for AndroidTM apps: A combinatorial optimization approach. In: Network and System Security, pp. 63–77 (2015)
Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. Comm. Surveys & Tutorials, IEEE 16(2), 961–987 (2014)
Wang, Z., Li, C., Guan, Y., Xue, Y.: Droidchain: A novel malware detection method for AndroidTM based on behavior chain. In: 2015 IEEE Conference on Communications and Network Security, CNS 2015, Florence, Italy, September 28–30, 2015, 727–728 (2015). DOI 10.1109/CNS.2015.7346906. URL http://dx.doi.org/10.1109/CNS.2015.7346906
Acknowledgements
This work has been supported by UK Engineering and Physical Sciences Research Council (EPSRC) grant EP/L022699/1. The authors would like to thank the anonymous reviewers for their helpful comments, and Erwin R. Catesbeiana (Jr) for pointing out the importance of intention in malware analysis.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Asăvoae, I.M. et al. (2017). Detecting Malicious Collusion Between Mobile Software Applications: The AndroidTM Case. In: Palomares Carrascosa, I., Kalutarage, H., Huang, Y. (eds) Data Analytics and Decision Support for Cybersecurity. Data Analytics. Springer, Cham. https://doi.org/10.1007/978-3-319-59439-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-59439-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59438-5
Online ISBN: 978-3-319-59439-2
eBook Packages: Computer ScienceComputer Science (R0)