Different apps collaborate to carry out malicious operations

Jun 15, 2016 00:10 GMT  ·  By

Intel Security said it detected malicious code spread across thousands of Android packages that when put together allow crooks to coordinate and launch attacks on unsuspecting users.

The attack, named Mobile App Collusion (MAC), relies on malware developers splitting their malicious code across different applications, shared code libraries or other means.

If users install two or more of these applications on their mobiles, iOS or Android, the malicious code combines and allows crooks to run their attacks.

Because the malicious functionality is split between different apps or via various methods, the automated security tests carried out by app store owners like Google or Apple, won't necessarily pick up anything suspicious because all apps are tested individually.

What is a Mobile App Collusion attack?

Intel says that are three methods through which an attacker could carry out a collusion attack.

The first is to split malicious code among different apps and use the mobile OS' intra-apps communication features to launch attacks.

Attackers will use this method only when they're absolutely sure they can fool users into installing two or more of their apps. Intel says that apps distributed by the same developer via co-installation programs are likely to use this tactic.

The second method focuses on shared code libraries, such as SDKs. Crooks develop these SDKs, which they then distribute among app developers. One app may use one part of the SDK, another app could use another part, and the third app another part.

Crooks can hide a few malicious functions in the SDK's various packages, and when two, three or four tainted SDK functions have been used in apps installed on a mobile device, they could spring their attack and compromise the smartphone.

First and second MAC attack, visually explained
First and second MAC attack, visually explained

The third method relies on a malicious mobile app that exploits vulnerabilities in other apps installed on the device. This method is not pure mobile app collusion, but more of a forced collusion since there's only one malicious app in the exploitation process.

From theory to reality

Researchers have known about MAC attacks known for at least a year, and some of them have banded together to form the ACiD Project aimed at detecting mobile app collusion.

Intel's McAfee Labs says that during tests, it detected more than 5,000 installation packages representing 21 mobile apps, where they've seen crooks exploit MAC attacks to escalate privileges, go around system limitations, and carry out malicious operations.

In the malicious apps they detected, McAfee experts said that this particular group of applications leveraged many functions provided by an advertising SDK provided by Baidu, named Moplus, also detected by Trend Micro last year.

Colluding mobile apps are hard to detect automatically

"Collusions are part of a general problem of effective software isolation," Intel's Igor Muttik notes. "This problem exists in all environments that implement software sandboxing, from other mobile operating systems to virtual machines in server farms."

Because of the way both mobile operating systems, Android and iOS, have been designed, most apps explicitly or implicitly communicate, making analysis more difficult. In most cases, the only way to detect colluding apps is only after manual analysis of the entire code.

Intel says that it designed a series of tests for detecting MAC attacks, but despite its best efforts, currently the platform has a 3% false-positives rate, and a 2.5% false-negatives detection. Nevertheless, as more malicious apps will switch to these tactics, more effort will be put in.

More information on the mobile app collusion attack can be found in the McAfee Labs Threats Report: June 2016, but also in research papers like Android-Collusion Conspiracy, Android Malware: they divide, we conquer, and Towards Automated Android App Collusion Detection.

Photo Gallery (2 Images)

Mobile apps collaborate to carry out malicious tasks
First and second MAC attack, visually explained
Open gallery