Skip to main content
SpringerLink
Log in

Detecting Malicious Collusion Between Mobile Software Applications: The AndroidTM Case

  • Chapter
  • First Online:
Data Analytics and Decision Support for Cybersecurity

Part of the book series: Data Analytics ((DAANA))

Abstract

Malware has been a major problem in desktop computing for decades. With the recent trend towards mobile computing, malware is moving rapidly to smartphone platforms. “Total mobile malware has grown 151% over the past year”, according to McAfee®’s quarterly treat report in September 2016. By design, AndroidTM is “open” to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps for which combined permissions allow them to carry out attacks. In this chapter we report on recent and ongoing research results from our ACID project which suggest a number of reliable means to detect collusion, tackling the aforementioned problems. We present our conceptual work on the topic of collusion and discuss a number of automated tools arising from it.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://acidproject.org.uk.

  2. 2.

    Concrete examples are available on request.

  3. 3.

    https://github.com/acidrepo/collusion_potential_detector.

  4. 4.

    This assumption might produce false positives, however, never false negatives. It is left as a future work to improve this.

  5. 5.

    http://www.r-project.org/.

  6. 6.

    We plot L τ values in Fig. 6 as outer filter in Algorithm 1 depends on it, and to show that majority of non-colluding app pairs can be treated using L τ only. However, it should be noted that L c = L τ for colluding pairs as L com = 1.

  7. 7.

    http://www.cs.swan.ac.uk/~csmarkus/ProcessesAndData/androidsmali-semantics-k.

  8. 8.

    http://www.cs.swansea.ac.uk/~csmarkus/ProcessesAndData/sites/default/files/uploads/resources/code.zip.

  9. 9.

    All experiments are carried out on a Macbook Pro with an Intel i7 2.2 GHz quad-core processor and 16 GB of memory.

References

  1. (2016). URL https://www.samsungknox.com/

  2. AndroidTM Package Index. http://developer.android.com/reference/packages.html (2016)

  3. AndroidTM Open Source Project: Dalvik Bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html (2016)

  4. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of AndroidTM malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, California, USA, February 23–26, 2014. The Internet Society (2014). URL http://www.internetsociety.org/doc/drebin-effective-and-explainable-detection-android-malware-your-pocket

  5. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for AndroidTM apps. In: ACM SIGPLAN Notices - PLDI’14, vol. 49, pp. 259–269. ACM (2014)

    Google Scholar 

  6. Asavoae, I.M., Blasco, J., Chen, T.M., Kalutarage, H.K., Muttik, I., Nguyen, H.N., Roggenbach, M., Shaikh, S.A.: Towards Automated AndroidTM App Collusion Detection. CoRR abs/1603.02308 (2016). URL http://arxiv.org/abs/1603.02308

  7. Asavoae, I.M., Muttik, I., Roggenbach, M.: AndroidTM malware: They divide, we conquer. Bucharest, Romania (2016)

    Google Scholar 

  8. Asavoae, I.M., Nguyen, H.N., Roggenbach, M., Shaikh, S.A.: Utilising \( \mathbb{K} \) Semantics for Collusion Detection in AndroidTM Applications. In: Critical Systems: Formal Methods and Automated Verification - Joint 21st International Workshop on Formal Methods for Industrial Critical Systems and 16th International Workshop on Automated Verification of Critical Systems, FMICS-AVoCS 2016, Pisa, Italy, September 26–28, 2016, Proceedings, pp. 142–149 (2016). DOI 10.1007/978-3-319-45943-$1_1$0

    Google Scholar 

  9. Bagheri, H., Sadeghi, A., Garcia, J., Malek, S.: Covert: Compositional analysis of AndroidTM inter-app vulnerabilities. Tech. rep., Tech. Rep. GMU-CS-TR-2015-1, Department of Computer Science, George Mason University, 4400 University Drive MSN 4A5, Fairfax, VA 22030-4444 USA (2015)

    Google Scholar 

  10. Beaucamps, P., Gnaedig, I., Marion, J.: Abstraction-based malware analysis using rewriting and model checking. In: S. Foresti, M. Yung, F. Martinelli (eds.) Computer Security - ESORICS 2012 - 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10–12, 2012. Proceedings, Lecture Notes in Computer Science, vol. 7459, pp. 806–823. Springer (2012). DOI 10.1007/978-3-642-33167-1_46. URL http://dx.doi.org/10.1007/978-3-642-33167-1_46

  11. Blasco, J., Chen, T., Muttik, I., Roggenbach, M.: Wild AndroidTM collusions. Virus Bulletin 2016 (2016)

    Google Scholar 

  12. Blasco, J., Chen, T.M., Muttik, I., Roggenbach, M.: Efficient Detection of App Collusion Potential Using Logic Programming. IEEE Transactions on Mobile Computing (2017). arXiv:1706.02387. http://arxiv.org/abs/1706.02387

  13. Blasco, J., Muttik, I.: AndroidTM collusion conspiracy (2015)

    Google Scholar 

  14. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R., Shastry, B.: Towards taming privilege-escalation attacks on AndroidTM. In: NDSS (2012)

    Google Scholar 

  15. Burket, J., Flynn, L., Klieber, W., Lim, J., Snavely, W.: Making didfail succeed: Enhancing the cert static taint analyzer for AndroidTM app sets. Tech. Rep. MSU-CSE-00-2, Software Engineering Institute, Carnegie Mellon University, Pittsburgh,USA (2015)

    Google Scholar 

  16. Canfora, G., Lorenzo, A.D., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family AndroidTM malware. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, Toulouse, France, August 24–27, 2015, pp. 333–340 (2015). DOI 10.1109/ARES.2015.57. URL http://dx.doi.org/10.1109/ARES.2015.57

  17. Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in AndroidTM. In: MobiSys’11, pp. 239–252 (2011)

    Google Scholar 

  18. Clavel, M., Duran, F., Eker, S., Lincoln, P., Martı-Oliet, N., Meseguer, J., Talcott, C.: All about Maude. LNCS 4350 (2007)

    Google Scholar 

  19. Dai, G., Ge, J., Cai, M., Xu, D., Li, W.: SVM-based malware detection for AndroidTM applications. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, New York, NY, USA, June 22–26, 2015, pp. 33:1–33:2 (2015). DOI 10.1145/2766498.2774991. URL http://doi.acm.org/10.1145/2766498.2774991

  20. Desnos, A.: Androguard. https://github.com/androguard/androguard (2016)

  21. Dubey, A., Misra, A.: AndroidTM Security: Attacks and Defenses. CRC Press (2013)

    Google Scholar 

  22. Elenkov, K.: AndroidTM Security Internals: An In-Depth Guide to AndroidTM’s Security Architecture. No Starch Press (2014)

    Google Scholar 

  23. Elish, K.O., Yao, D., Ryder, B.G.: On the need of precise inter-app ICC classification for detecting AndroidTM malware collusions. In: MoST (2015)

    Google Scholar 

  24. Elish, K.O., Yao, D.D., Ryder, B.G.: On the need of precise inter-app icc classification for detecting AndroidTM malware collusions. In: Proceedings of IEEE Mobile Security Technologies (MoST), in conjunction with the IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  25. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32(2), 5 (2014)

    Google Scholar 

  26. Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on Computer and communications security, pp. 235–245. ACM (2009)

    Google Scholar 

  27. Enck, W., Ongtang, M., McDaniel, P.: Understanding AndroidTM security. IEEE security & privacy (1), 50–57 (2009)

    Article  Google Scholar 

  28. Fritz, C., Arzt, S., Rasthofer, S., Bodden, E., Bartel, A., Klein, J., le Traon, Y., Octeau, D., McDaniel, P.: Highly precise taint analysis for AndroidTM applications. EC SPRIDE, TU Darmstadt, Tech. Rep (2013)

    Google Scholar 

  29. Gasior, W., Yang, L.: Network covert channels on the AndroidTM platform. In: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, p. 61. ACM (2011)

    Google Scholar 

  30. Gasior, W., Yang, L.: Exploring covert channel in AndroidTM platform. In: Cyber Security (CyberSecurity), 2012 International Conference on, pp. 173–177 (2012). DOI 10.1109/CyberSecurity.2012.29

    Google Scholar 

  31. Gordon, M.I., Kim, D., Perkins, J.H., Gilham, L., Nguyen, N., Rinard, M.C.: Information flow analysis of AndroidTM applications in droidsafe. In: NDSS (2015)

    Google Scholar 

  32. Gunasekera, S.: AndroidTM Apps Security. Apress (2012)

    Google Scholar 

  33. Han, H., Chen, Z., Yan, Q., Peng, L., Zhang, L.: A real-time AndroidTM malware detection system based on network traffic analysis. In: Algorithms and Architectures for Parallel Processing - 15th International Conference, ICA3PP 2015, Zhangjiajie, China, November 18–20, 2015. Proceedings, Part III, pp. 504–516 (2015). DOI 10.1007/978-3-319-27137-8_37. URL http://dx.doi.org/10.1007/978-3-319-27137-8_37

  34. Hardy, N.: The confused deputy:(or why capabilities might have been invented). ACM SIGOPS Operating Systems Review 22(4), 36–38 (1988)

    Article  Google Scholar 

  35. Harley, D., Lee, A.: Antimalware evaluation and testing. In: AVIEN Malware Defense Guide. Elsevier (2007)

    Book  Google Scholar 

  36. Huskamp, J.C.: Covert communication channels in timesharing systems. Ph.D. thesis, California Univ., Berkeley (1978)

    Google Scholar 

  37. Kalutarage, H.K., Nguyen, H.N., Shaikh, S.A.: Towards a threat assessment for apps collusion. Telecommunication Systems 1-14 (2016). doi:10.1007/s11235-017-0296-1. http://dx.doi.org/10.1007/s11235-017-0269-1

  38. Kate, P.M., Dhavale, S.V.: Two phase static analysis technique for AndroidTM malware detection. In: Proceedings of the Third International Symposium on Women in Computing and Informatics, WCI 2015, co-located with ICACCI 2015, Kochi, India, August 10–13, 2015, pp. 650–655 (2015). DOI 10.1145/2791405.2791558. URL http://doi.acm.org/10.1145/2791405.2791558

  39. Kim, K., Choi, M.: AndroidTM malware detection using multivariate time-series technique. In: 17th Asia-Pacific Network Operations and Management Symposium, APNOMS 2015, Busan, South Korea, August 19–21, 2015, pp. 198–202 (2015). DOI 10.1109/APNOMS.2015.7275426. URL http://dx.doi.org/10.1109/APNOMS.2015.7275426

  40. Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: AndroidTM taint flow analysis for app sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)

    Google Scholar 

  41. Krishnamoorthy, K.: Handbook of statistical distributions with applications. CRC Press (2015)

    Google Scholar 

  42. Li, L., Bartel, A., Bissyand, T., Klein, J., Le Traon, Y., Arzt, S., Siegfried, R., Bodden, E., Octeau, D., Mcdaniel, P.: IccTA: Detecting Inter-Component Privacy Leaks in AndroidTM Apps. In: Proceedings of the 37th International Conference on Software Engineering (ICSE 2015) (2015)

    Google Scholar 

  43. Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y.: ApkCombiner: Combining multiple AndroidTM apps to support inter-app analysis. In: SEC’15, pp. 513–527. Springer (2015)

    Google Scholar 

  44. Li, Q., Li, X.: AndroidTM malware detection based on static analysis of characteristic tree. In: 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, CyberC 2015, Xi’an, China, September 17–19, 2015, pp. 84–91 (2015). DOI 10.1109/CyberC.2015.88. URL http://dx.doi.org/10.1109/CyberC.2015.88

  45. Maji, A.K., Arshad, F., Bagchi, S., Rellermeyer, J.S., et al.: An empirical study of the robustness of inter-component communication in AndroidTM. In: Dependable Systems and Networks (DSN), 2012 42nd Annual IEEE/IFIP International Conference on, pp. 1–12. IEEE (2012)

    Google Scholar 

  46. Marforio, C., Francillon, A., Capkun, S.: Application collusion attack on the permission-based security model and its implications for modern smartphone systems. technical report (2011)

    Google Scholar 

  47. Marforio, C., Ritzdorf, H., Francillon, A., Capkun, S.: Analysis of the communication between colluding applications on modern smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 51–60. ACM (2012)

    Google Scholar 

  48. Muttik, I.: Partners in crime: Investigating mobile app collusion. In: McAfee® Threat Report (2016)

    Google Scholar 

  49. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in AndroidTM with epicc: An essential step towards holistic security analysis. In: USENIX Security 2013 (2013)

    Google Scholar 

  50. Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Using probabilistic generative models for ranking risks of AndroidTM apps. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 241–252. ACM (2012)

    Google Scholar 

  51. Rasthofer, S., Arzt, S., Lovat, E., Bodden, E.: Droidforce: enforcing complex, data-centric, system-wide policies in AndroidTM. In: Availability, Reliability and Security (ARES), 2014 Ninth International Conference on, pp. 40–49. IEEE (2014)

    Google Scholar 

  52. Ravitch, T., Creswick, E.R., Tomb, A., Foltzer, A., Elliott, T., Casburn, L.: Multi-app security analysis with fuse: Statically detecting AndroidTM app collusion. In: Proceedings of the 4th Program Protection and Reverse Engineering Workshop, p. 4. ACM (2014)

    Google Scholar 

  53. Ritzdorf, H.: Analyzing covert channels on mobile devices. Ph.D. thesis, ETH Zürich, Department of Computer Science (2012)

    Google Scholar 

  54. Roşu, G., Şerbănuţă, T.F.: An overview of the K semantic framework. Journal of Logic and Algebraic Programming 79(6), 397–434 (2010)

    Article  MathSciNet  MATH  Google Scholar 

  55. Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: AndroidTM permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)

    Google Scholar 

  56. Sbirlea, D., Burke, M., Guarnieri, S., Pistoia, M., Sarkar, V.: Automatic detection of inter-application permission leaks in AndroidTM applications. IBM Journal of Research and Development 57(6), 10:1–10:12 (2013). DOI 10.1147/JRD.2013.2284403

    Google Scholar 

  57. Schlegel, R., Zhang, K., Zhou, X.y., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: A stealthy and context-aware sound trojan for smartphones. In: NDSS’11, pp. 17–33 (2011)

    Google Scholar 

  58. Shen, S.: Setting the record straight on moplus sdk and the wormhole vulnerability. http://blog.trendmicro.com/trendlabs-security-intelligence/setting-the-record-straight-on-moplus-sdk-and-the-wormhole-vulnerability/. Accessed: 04/0/2016

  59. Six, J.: Application Security for the AndroidTM Platform: Processes, Permissions, and Other Safeguards. O’Reilly (2011)

    Google Scholar 

  60. Song, F., Touili, T.: Model-checking for AndroidTM malware detection. In: J. Garrigue (ed.) Programming Languages and Systems - 12th Asian Symposium, APLAS 2014, Singapore, November 17–19, 2014, Proceedings, Lecture Notes in Computer Science, vol. 8858, pp. 216–235. Springer (2014). DOI 10.1007/978-3-319-12736-1_12. URL http://dx.doi.org/10.1007/978-3-319-12736-1_12

  61. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P.: Compartmentation policies for AndroidTM apps: A combinatorial optimization approach. In: Network and System Security, pp. 63–77 (2015)

    Google Scholar 

  62. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. Comm. Surveys & Tutorials, IEEE 16(2), 961–987 (2014)

    Google Scholar 

  63. Wang, Z., Li, C., Guan, Y., Xue, Y.: Droidchain: A novel malware detection method for AndroidTM based on behavior chain. In: 2015 IEEE Conference on Communications and Network Security, CNS 2015, Florence, Italy, September 28–30, 2015, 727–728 (2015). DOI 10.1109/CNS.2015.7346906. URL http://dx.doi.org/10.1109/CNS.2015.7346906

Download references

Acknowledgements

This work has been supported by UK Engineering and Physical Sciences Research Council (EPSRC) grant EP/L022699/1. The authors would like to thank the anonymous reviewers for their helpful comments, and Erwin R. Catesbeiana (Jr) for pointing out the importance of intention in malware analysis.

Author information

Authors and Affiliations

  1. INRIA, Paris, France

    Irina Măriuca Asăvoae

  2. Information Security Group, Royal Holloway University of London, Egham, UK

    Jorge Blasco

  3. School of Mathematics, Computer Science & Engineering, City University of London, London, UK

    Thomas M. Chen

  4. Centre for Secure Information Technologies, Queen’s University of Belfast, Belfast, UK

    Harsha Kumara Kalutarage

  5. Cyber Curio LLP, Berkhamsted, UK

    Igor Muttik

  6. Centre for Mobility and Transport, Coventry University, Coventry, UK

    Hoang Nga Nguyen & Siraj Ahmed Shaikh

  7. Department of Computer Science, Swansea University, Swansea, UK

    Markus Roggenbach

Authors
  1. Irina Măriuca Asăvoae
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jorge Blasco
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas M. Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Harsha Kumara Kalutarage
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Igor Muttik
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hoang Nga Nguyen
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Markus Roggenbach
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Siraj Ahmed Shaikh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jorge Blasco .

Editor information

Editors and Affiliations

  1. University of Bristol, Bristol, United Kingdom

    Iván Palomares Carrascosa

  2. Centre for Secure Information Technologies, Queen’s University of Belfast, Belfast, United Kingdom

    Harsha Kumara Kalutarage

  3. Queen’s University Belfast, Belfast, United Kingdom

    Yan Huang

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Asăvoae, I.M. et al. (2017). Detecting Malicious Collusion Between Mobile Software Applications: The AndroidTM Case. In: Palomares Carrascosa, I., Kalutarage, H., Huang, Y. (eds) Data Analytics and Decision Support for Cybersecurity. Data Analytics. Springer, Cham. https://doi.org/10.1007/978-3-319-59439-2_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59439-2_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59438-5

  • Online ISBN: 978-3-319-59439-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation