Mobile App Collusion Can Bypass Native Android Security

Jorge Blasco Virus Bulletin Conference

At Virus Bulletin, researchers explain how Android mobile applications can collude to share data and synchronize payload execution.

DENVER – Android’s native security mechanisms, most notably application sandboxing, secure devices against threats from one app at a time. Multiple apps however, can collude in different ways and bypass these protections.

Researchers on Wednesday at the 26th Virus Bulletin International Conference brought this threat from the theoretical to the practical. They exposed a number of apps that use malicious versions of the MoPlus SDK to work in concert and run up premium SMS charges, steal personal data stored on mobile devices and even synchronize the execution of payloads.

In a talk called “Wild Android Collusions,” Jorge Blasco of City University of London, said that mobile apps often communicate benign information, but that dynamic can be flipped by an attacker who can use one over-permissioned app to extract data and send it to another app with Internet access, for example, which forwards it to the attacker’s server while the user remains in the dark.

“The user doesn’t know if apps will communicate, and cannot make an informed decision whether to grant access to apps,” Blasco said.

Blasco, along with City University colleague Thomas M. Chen, and Igor Muttik of Intel Security and Markus Roggenbach of Swansea University also released a paper on their research at Virus Bulletin yesterday.

The paper explains how Android, for example, allows for inter-application communication that bypasses sandbox boundaries. In Android this is done through the use of broadcast intents, which are messages that describe operations to be performed. Attackers can force apps, each with a set of varied privileges, to communicate sensitive data to other apps with Internet access.

“This collusion technique is difficult to detect, as each app will appear to most tools to be benign,” the researchers wrote, “potentially enabling attackers to penetrate more devices and for a longer time before they are caught.”

Blasco explained during his talk that colluding apps could use a number of communication channels beyond intents to work together. One of those are content providers that store information in numerous tables that provides methods by which other apps can read, update, create and delete data. External storage is another channel in Android by which all apps have access to its partitions, allowing apps that declare write permissions can write and read from external storage, which could be used as a shared drop box by colluding apps, the paper says.

Shared preferences is a key channel for collusion, Blasco said. Apps store key-value pairs of data in shared preferences, specifically application configuration and preferences data. In versions of Android prior to 4.4 where SELinux was introduced into the OS, shared preferences can be used to by apps to communicate.

Blasco said that the researchers used shared preferences as a starting point to find colluding apps in the wild. Using a data set of 50,000 apps provided by Intel Security, the researchers discovered apps exchanging data via shared preferences files to synchronize payload execution included in the MoPlus SDK.

MoPlus was outed as a potential backdoor in November 2015, but Blasco said the collusion between apps is a recent discovery.

Blasco said that apps on a device that include the MoPlus SDK can communicate, primarily to determine which of the apps has the highest level of privileges. He showed an example of three apps where the highest privileged could open a HTTP server on the device and receive instructions and content from an attacker’s server.

“The MoPlus SDK running on different apps using shared preferences as a channel will select a leader to communicate with the command and control server,” Blasco said. “The apps are talking to each other to see which has more access and it’s that app that connects to command and control and receives commands. They can optimize an attack to use only the app with the most system access.”

Blasco said that the researchers found only these types of synchronization attacks; no information theft attacks were found in the wild, he said.

As for countermeasures, Blasco said the industry must develop collusion detection methods, and Google must enforce restrictions on inter-app communication in Android. Developers, meanwhile, must carefully analyze third-party libraries before pulling them into mobile apps, he said.

“Different inter-app communication introduces risks,” Blasco said. “Collusion is possible because the user is not aware how apps communicate. They may be aware of permissions assigned to the apps, but not of how these apps communicate and share information.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.