With a newly developed toolsuite that can analyze Android apps and detect whether two or more of them can collude with each other to acquire information that they would otherwise not be capable of obtaining, a group of researchers has shed some light on an existing capability that could easily become a big problem in the future.
Android apps can exchange data with each other, via the Inter-Component Communication (ICC) message passing mechanism and, according to the researchers, “it has been long believed that inter-app ICCs can be abused by malware writers to launch collusion attacks using two or more apps.”
How many apps are participating in such attacks now?
The researchers used their newly minted, open source DIALDroid tool on 100,206 apps from Google Play to identify ICC-based sensitive inter-app data flows, which can lead to either:
- A data leak (receiver app exfiltrates the sensitive data obtained from its ICC communications with the sender app to an external destination) or
- A privilege escalation (receiver app attains unauthorized permissions or sensitive data thanks to ICC communications with a sender app).
They found that the total numbers of sensitive ICCs and app pairs are extremely high, the number of sender apps initiating these ICCs is actually rather small. For example, over a million app pairs exhibit privilege escalation behavior, but only 62 distinct apps instigated the collusion in these cases. Again, of the 6,783 app pairs involved in data leaks, only 21 instigated the collusion.
Occasionally the two apps are made by the same developer, and other times not, but it’s difficult to determine if their intentions were actually malicious or were just the result of poor programming practices.
Still, it is interesting to note that the greatest number of these instigating sender apps belong to the “personalization” category, i.e. are meant to personalize/customize the look of users’ Android devices.
Upcoming malware threat?
What is definitely true is that this communication capability could eventually be exploited by malware authors.
“Because of the evolving nature of attacks and defenses, this new threat is indeed conceivable,” the researchers noted. “With collusion, malware writers can develop multiple benign looking apps to evade the existing single-app screening mechanisms. These apps can complement each other’s privileges and accomplish attack goals.”
The researchers hope that app stores and markets will eventually start checking submitted apps for this attack avenue.
To help with this, they’ve open sourced their DIALDroid tool.