Detection of app collusion potential using logic programming

Jorge Blasco Alis; Thomas M. Chen; Igor Muttik; Markus Roggenbach

doi:10.1016/j.jnca.2017.12.008

Detection of app collusion potential using logic programming

Jorge Blasco Alis, Thomas M. Chen, Igor Muttik, Markus Roggenbach

Department of Information Security

Research output: Contribution to journal › Article › peer-review

59 Downloads (Pure)

Abstract

Mobile devices pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have capabilities potentially exploitable for eavesdropping (cameras/microphone, wireless connections). The Android operating system is designed with a number of built-in security features such as application sandboxing and permission-based access control. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app is able to execute by itself.

While the possibility of app collusion was first warned in 2011, it has been unclear if collusion is used by malware in the wild due to a lack of suitable detection methods and tools. This paper describes how we found the first collusion in the wild. We also present a strategy for detecting collusions and its implementation in Prolog that allowed us to make this discovery.

Our detection strategy is grounded in concise definitions of collusion and the concept of ASR (Access-Send-Receive) signatures. The methodology is supported by statistical evidence. Our approach scales and is applicable to inclusion into professional malware detection systems: we applied it to a set of more than 50,000 apps collected in the wild. Code samples of our tool as well as of the detected malware are available.

Original language	English
Pages (from-to)	88-104
Number of pages	17
Journal	Journal of Network and Computer Applications
Volume	105
Early online date	28 Dec 2017
DOIs	https://doi.org/10.1016/j.jnca.2017.12.008
Publication status	Published - 1 Mar 2018

Access to Document

10.1016/j.jnca.2017.12.008

Accepted ManuscriptAccepted author manuscript, 1.53 MBLicence: CC BY-NC-ND

Cite this

@article{0ba40ff6ec9a4eb6894295f50d43bf85,

title = "Detection of app collusion potential using logic programming",

abstract = "Mobile devices pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have capabilities potentially exploitable for eavesdropping (cameras/microphone, wireless connections). The Android operating system is designed with a number of built-in security features such as application sandboxing and permission-based access control. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app is able to execute by itself.While the possibility of app collusion was first warned in 2011, it has been unclear if collusion is used by malware in the wild due to a lack of suitable detection methods and tools. This paper describes how we found the first collusion in the wild. We also present a strategy for detecting collusions and its implementation in Prolog that allowed us to make this discovery.Our detection strategy is grounded in concise definitions of collusion and the concept of ASR (Access-Send-Receive) signatures. The methodology is supported by statistical evidence. Our approach scales and is applicable to inclusion into professional malware detection systems: we applied it to a set of more than 50,000 apps collected in the wild. Code samples of our tool as well as of the detected malware are available.",

author = "{Blasco Alis}, Jorge and Chen, {Thomas M.} and Igor Muttik and Markus Roggenbach",

year = "2018",

month = mar,

day = "1",

doi = "10.1016/j.jnca.2017.12.008",

language = "English",

volume = "105",

pages = "88--104",

journal = "Journal of Network and Computer Applications",

issn = "1084-8045",

publisher = "Academic Press Inc.",

}

TY - JOUR

T1 - Detection of app collusion potential using logic programming

AU - Blasco Alis, Jorge

AU - Chen, Thomas M.

AU - Muttik, Igor

AU - Roggenbach, Markus

PY - 2018/3/1

Y1 - 2018/3/1

N2 - Mobile devices pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have capabilities potentially exploitable for eavesdropping (cameras/microphone, wireless connections). The Android operating system is designed with a number of built-in security features such as application sandboxing and permission-based access control. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app is able to execute by itself.While the possibility of app collusion was first warned in 2011, it has been unclear if collusion is used by malware in the wild due to a lack of suitable detection methods and tools. This paper describes how we found the first collusion in the wild. We also present a strategy for detecting collusions and its implementation in Prolog that allowed us to make this discovery.Our detection strategy is grounded in concise definitions of collusion and the concept of ASR (Access-Send-Receive) signatures. The methodology is supported by statistical evidence. Our approach scales and is applicable to inclusion into professional malware detection systems: we applied it to a set of more than 50,000 apps collected in the wild. Code samples of our tool as well as of the detected malware are available.

AB - Mobile devices pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have capabilities potentially exploitable for eavesdropping (cameras/microphone, wireless connections). The Android operating system is designed with a number of built-in security features such as application sandboxing and permission-based access control. Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app is able to execute by itself.While the possibility of app collusion was first warned in 2011, it has been unclear if collusion is used by malware in the wild due to a lack of suitable detection methods and tools. This paper describes how we found the first collusion in the wild. We also present a strategy for detecting collusions and its implementation in Prolog that allowed us to make this discovery.Our detection strategy is grounded in concise definitions of collusion and the concept of ASR (Access-Send-Receive) signatures. The methodology is supported by statistical evidence. Our approach scales and is applicable to inclusion into professional malware detection systems: we applied it to a set of more than 50,000 apps collected in the wild. Code samples of our tool as well as of the detected malware are available.

U2 - 10.1016/j.jnca.2017.12.008

DO - 10.1016/j.jnca.2017.12.008

M3 - Article

SN - 1084-8045

VL - 105

SP - 88

EP - 104

JO - Journal of Network and Computer Applications

JF - Journal of Network and Computer Applications

ER -