Mobile app collusion is real and coming to a device near you.
That’s the word from McAfee Labs, which has found a “partners in crime” phenomenon wherein two or more apps can carry out harmful activity together using inter-app communications in a collaborative fashion.
Mobile operating systems incorporate many techniques to isolate apps in sandboxes, restrict their capabilities and clearly control which permissions they have at a fairly granular level. However, operating systems also include fully documented ways for apps to communicate with each other across sandbox boundaries. And this is not lost on malware authors.
“Looking to evade detection by mobile security tools and by malware and privacy filters employed at app markets, attackers may try to leverage multiple apps with different capabilities and permissions to achieve their goals, using an app with sensitive permissions to communicate with another app that has internet access,” explained McAfee, in its report on the subject. “This technique of app collusion is more difficult to detect, as each app will appear to most tools to be benign, enabling attackers to penetrate more devices for longer before they are caught.”
Effective collusion requires at least one app with permission to access the restricted information or service, one app without that permission but with access outside the device, and the capability for the two to communicate with each other.
McAfee found that almost 85% of all apps in the mobile marketplace can communicate with other apps, using either explicit (11.3%) or implicit (73.1%) methods. After analyzing the pool, it found instances of app collusion running in the wild without being detected in a group of applications that use a particular Android SDK. This SDK was known to be risky and potentially harmful since late 2015, and is included in more than 5,000 installation packages representing 21 mobile apps, with a wide range of permissions. Working together, any of these Android apps can, when installed on the same device, get around the Android operating system limitations and respond to commands from a remote control server via the app that has the highest privileges.
Criminals can use the approach to carry out three specific threats:
• Information theft: When an app with access to sensitive or confidential information collaborates (willingly or unwillingly) with one or more other apps to send information outside the boundaries of the device.
• Financial theft: When an app sends information to another app that can make financial transactions or financial API calls.
• Service misuse: When one app can control a system service and receives information or commands from one or more other apps.
“This type of privilege escalation via selection of the app with more permissions is the first known case of malicious apps colluding in the wild,” McAfee said. “It demonstrates the significant risk of using third-party code, such as advertising libraries and external SDKs, especially when they are closed source or not fully trusted. The problem is not specific to Android, and it becomes a critical security issue for all mobile devices as well as for virtual and cloud environments that employ software sandboxing.”
Photo © Nata-Lia