Wild Android Collusions

Presented at VB2016, Oct. 5, 2016, 11:30 a.m. (30 minutes).

In this paper, we describe, analyse and demonstrate how a set of *Android* apps can, when working together, break the current *Android* security model. Sadly, *Android* OS does not have good mechanisms to prevent apps' cooperation for malicious purposes. Such a set of apps may perform actions beyond the limitations set by the OS. Colluding apps create a problem both for users' privacy and their security. Unfortunately, these capabilities can easily go unnoticed because apps are typically analysed individually. We discovered that app collusion had actually been going on in the field for quite a long time and without being detected - in a large group of applications which use the *MoPlus* SDK. This SDK has been known to be risky and potentially harmful since November 2015 - it opens a local HTTP server on the user device which enables a C&C operator to perform operations like sending arbitrary intents, obtaining sensitive user information and silently installing apps in rooted devices. We divulge how different *MoPlus*-based apps running on the same device talk to each other to determine which one has the highest privileges (the most permissions). This app alone will execute the local HTTP server and receive commands from the C&C server. This is a clear and deliberate violation of the *Android* OS rules. The *MoPlus* SDK is known to be included in more than 1,000 applications, including apps that have not been developed by *Baidu* (the original developer of the SDK). We will explain the colluding behaviour of the *MoPlus* SDK in detail and how the versions of the SDK have evolved over time. This important discovery is the first known case of malicious app collusion in the wild. It demonstrates significant risk of using third-party code - ad libraries and external SDKs - especially when they are closed-source or not fully trusted. The problem is not specific to *Android*, and we will discuss avenues of introducing collusions into susceptible platforms, and talk about mitigations.

Presenters:

  • Igor Muttik - Intel Security   as Prof. Igor Muttik
    Prof. Igor Muttik Prof. Igor Muttik (PhD) started researching computer malware in the 1980s when the anti-virus industry was in its infancy. He is based in the UK and worked as a virus researcher for Dr. Solomon's Software. From 1998 he ran McAfee's malware research in EMEA and switched to his architectural role in 2002. He takes particular interest in applied security research and design of new security software and hardware. Igor holds a Ph.D. degree in physics and mathematics from the Moscow University. He is a regular speaker at major international security conferences and is a co-author of three books, more than 100 publications and more than 25 patents. Igor has worked for Intel Corporation since McAfee was acquired in 2011.
  • Jorge Blasco - London City University
    Jorge Blasco Dr. Jorge Blasco obtained his Ph.D. from University Carlos III of Madrid in 2012. His dissertation was focused in the field of information security and insider threats. He is an active Android and iOS app developer with several apps being available in both OS official markets, related to steganography. After obtaining his Ph.D., Jorge worked as an assistant lecturer in University Carlos III of Madrid. In 2014, he moved to City University London, where he works now as a research fellow in a project about application collusion. His main research interests include mobile malware, steganography and covert channels. He has published several research papers in international conferences and journals.

Links:

Similar Presentations: