The dynamics of mobile app collusion and malicious activities

Mobile app collusion happens when cybercriminals manipulate two or more apps to orchestrate attacks on smartphone owners. McAfee Labs has observed such behavior across more than 5,000 versions of 21 apps designed to provide useful user services such as mobile video streaming, health monitoring, and travel planning.

The basics of colluding apps

Unfortunately, the failure of users to regularly implement essential software updates to these 21 mobile apps has raised the possibility that generations of out-of-date apps could be commandeered to perform malicious activity.

Widely considered a theoretical threat for many years, colluding mobile apps carry out harmful activity together by leveraging interapp communication capabilities common to mobile operating systems.

These operating systems incorporate many techniques to isolate apps in sandboxes, restrict their capabilities, and control which permissions they have at a fairly granular level. Unfortunately, mobile platforms also include fully documented ways for apps to communicate with each other across sandbox boundaries. Working together, colluding apps can leverage these interapp communication capabilities for malicious purposes.

Three types of threats that can result from mobile app collusion

Information theft: An app with access to sensitive or confidential information willingly or unwillingly collaborates with one or more other apps to send information outside the boundaries of the device

Financial theft: An app sends information to another app that can execute financial transactions or make financial API calls to achieve similar objectives

Service misuse: One app controls a system service and receives information or commands from one or more other apps to orchestrate a variety of malicious activities.

The search for colluding apps begins with those that can communicate with each other

Mobile app collusion requires at least one app with permission to access the restricted information or service, one app without that permission but with access outside the device, and the capability to communicate with each other. Either app could be collaborating on purpose or unintentionally due to accidental data leakage or inclusion of a malicious library or software development kit. Such apps may use a shared space (files readable by all) to exchange information about granted privileges and to determine which one is optimally positioned to serve as an entry point for remote commands.

“Improved detection drives greater efforts at deception,” said Vincent Weafer, VP of Intel Security’s McAfee Labs group. “It should not come as a surprise that adversaries have responded to mobile security efforts with new threats that attempt to hide in plain sight. Our goal is to make it increasingly harder for malicious apps to gain a foothold on our personal devices, developing smarter tools and techniques to detect colluding mobile apps.”