App Collusion Detection (ACID)

Lead Research Organisation: City, University of London
Department Name: Sch of Engineering and Mathematical Sci

Abstract

Malware has been a major problem in desktop computing for decades. With the recent trend towards mobile computing, malware is moving rapidly to smartphone apps. Our business partner McAfee alone collected 17,000 Android malware samples in the most recent quarter, double the rate of the previous year. Criminals are clearly motivated by the opportunity - about one billion smartphones will be sold in 2013, predominantly Android, with more than 10 billion apps downloaded to date.

Smartphones pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have potential capabilities for eavesdropping (with cameras/microphone, wireless connections). By design, Android is "open" in its flexibility to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions.

Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app can accomplish by itself. A basic example of collusion consists of one app permitted to access personal data, which passes the data to a second app allowed to transmit data over the network. While collusion is not a widespread threat today, it opens an avenue to circumvent Android permission restrictions that could be easily exploited by criminals to become a serious threat in the near future.

The UK Cyber Security Strategy notes that UK industry, as well as the public, needs to have confidence in a safe cyber space. Emerging privacy threats to smartphones are particularly timely to address considering the current controversies about US government data collection and monitoring of private communications. Sensitive data leakage is the main security risk posed by colluding apps, and the proposed project will help maintain users' confidence in smartphone privacy.

Currently almost all academic and industry efforts are focusing on detection of single malicious apps. Almost no attention has been given to colluding apps. The threat has been demonstrated only recently. The threat of colluding apps is challenging to detect because of the myriad and possibly stealthy ways in which apps might communicate and collude. Existing antivirus products are not designed to detect collusion. Preliminary research in the literature has not found any reliable means to detect collusion.

This project directly addresses the aims of the BACCHUS call by building an important collaboration between McAfee and academic experts in network security, intrusion detection, and formal methods to develop innovative methods for collusion detection. Our industry partner McAfee is a global leading security company with extensive facilities for monitoring, collecting, and analyzing smartphone threats.

This project aims to develop novel theoretical and practical methods to detect apps suspected of collusion and perform formal safety checking. The resulting methods will be deployed and tested by the industry partner, McAfee Labs, in their global Threat Intelligence System. If successful, the research project will help to proactively defend smart phones against the emerging threat of colluding apps. McAfee products are some of the most popular with the consumers in the UK, providing day-to-day guarding against PC and mobile threats.

Success in this project would mean a rare opportunity for the cyber security community to stay ahead of an emerging threat instead of reacting to a threat already prevalent.

Planned Impact

ACID aims to develop new techniques for detecting the emerging threat of colluding apps. Success of this project will curtail the threat before it becomes widespread in the wild. This would have broad benefits to researchers (as discussed in Academic Beneficiaries), security and telecommunications industries, and society in general. The beneficiaries are discussed separately below.

McAfee - Our industry partner will be a beneficiary by gaining new knowledge from the research collaboration and exploiting the research results in their commercial systems. As a global leader in the cyber security field, McAfee has vast resources for monitoring, collecting, and analyzing mobile and desktop malware. However their systems are not configured to detect colluding apps because the threat has become known only recently. Through this collaboration, McAfee will gain a new understanding of the collusion threat and will be able to enhance the capabilities of their threat management system.

Cyber security industry - The broader cyber security industry will benefit through the publications of the research team and dissemination through all the channels described in the Pathways to Impact. Virtually all antivirus products and research are currently focused on detection of single malicious apps. The results of this project will help to improve the capabilities of all antivirus products.

Telecommunications industry - Most smartphones sold today are Android, and malware is a rapidly growing problem for Android, eroding public confidence. Without this project, criminals might turn colluding apps into a widespread threat in the near future. This project will help maintain confidence in smartphones which is now the most common way to connect to the Internet for many users.

Society - This project will have a number of benefits on society such as:
(i) By curtailing the Android malware problem, the project helps to maintain public confidence in using their smartphones and the Internet in general.
(ii) Public confidence will lead to continuation of a robust smartphone industry, an important component of the digital economy.
(iii) The new knowledge derived from the project will enhance the skills and knowledgebase of researchers and students.

UK Government - The government has publicly pronounced cyber security as a top national priority. The results of this project will address national issues of concern and could influence public polices related to best practices to secure mobile devices.

Publications

10 25 50
publication icon
Blasco J (2018) Detection of app collusion potential using logic programming in Journal of Network and Computer Applications

publication icon
Blasco J (2017) Automated generation of colluding apps for experimental research in Journal of Computer Virology and Hacking Techniques

publication icon
Qadri J (2016) A Review of Significance of Energy-Consumption Anomaly in Malware Detection in Mobile Devices in International Journal on Cyber Situational Awareness

 
Description The project has been carried out as planned to investigate the problem of Android app collusion and develop methods (implemented in software) to detect collusion. The significant achievements include:
1. Creation of a substantial collection of hundreds of colluding apps for experimentation and testing. This was the result of a long process to define "app collusion" precisely. Also, two novel methods to quickly generate colluding apps (compared to manual programming from scratch) were invented.
2. A novel method to detect potentially colluding apps was developed and implemented in Prolog, which has been uploaded to Github.
3. Experiments have been carried out to use machine learning, implemented in R and Bash scripts, to detect colluding apps.
4. A novel method to detect app collusion using formal model checking has been shown to be feasible using small apps. It remains for future work to expand the method to larger apps.
Exploitation Route We have made available the Prolog detector on Github for other users. We are also publishing results in academic venues as planned. We have made available to other researchers the colluding app collection and other software useful for detection. Also as part of the research plan, the detection methods has been shared with Intel Security, and they are evaluating it for suitability to incorporate into their global threat intelligence system.
Sectors Digital/Communication/Information Technologies (including Software),Security and Diplomacy

URL http://acidproject.org.uk
 
Description Our research findings have been shared with Intel Security (formerly McAfee). From Intel, igor Muttik and Alex Hinchliffe were active partners from the beginning of the project and throughout the project. We also visited Intel Security office at Santa Clara, California, on 4 October 2016 to share research results with Domingo Gonzalez and Irfan Asrar who are in charge of mobile security products. They are looking to incorporate the research from the project into Intel's Threat Intelligence System.
First Year Of Impact 2016
Sector Digital/Communication/Information Technologies (including Software),Security and Diplomacy
Impact Types Economic

 
Title Dataset of colluding Android apps 
Description A dataset of 240 colluding Android apps created from a new software tool called Application Collusion Engine (described in the Software section here). 
Type Of Material Database/Collection of data 
Year Produced 2016 
Provided To Others? Yes  
Impact We have submitted a journal paper describing the Application Collusion Engine and the dataset. 
URL http://personal.rhul.ac.uk/udai/003/colluding_apps.zip
 
Title Application Collusion Engine 
Description Application Collusion Engine (ACE) is a software tool for easily creating two or more colluding Android apps. 
Type Of Technology Software 
Year Produced 2016 
Impact We are submitting a journal paper describing this software tool and a testset of colluding Android apps created from it. ACE is only available by request from T. Chen or J. Blasco because of potential misuse of it to create Android malware. However, a testset of colluding Android apps created from ACE is available from http://personal.rhul.ac.uk/udai/003/colluding_apps.zip 
URL http://personal.rhul.ac.uk/udai/003/colluding_apps.zip
 
Title Prolog detector in Github 
Description As a result of the funded research, the team has developed a method to detect pairs of Android apps that could possibly collude (i.e., has the potential to collude) and written a Prolog program for this method. It is available on Github. 
Type Of Technology Software 
Year Produced 2016 
Open Source License? Yes  
Impact This was put on Github very recently so no impact is known yet. 
URL https://github.com/acidrepo/collusion_potential_detector
 
Description "Android Malware: they divide, we conquer" presented at 10th International CARO Workshop (CARO 2016) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact CARO is an annual workshop organised by the Computer Antivirus Research Organization, which represents the security industry, particularly the antivirus industry. We presented a paper "Android Malware: they divide, we conquer" at the CARO workshop for research dissemination.
Year(s) Of Engagement Activity 2016
URL http://2016.caro.org
 
Description "Towards Automated Android App Collusion Detection" presented at Innovations in Mobile Privacy and Security (IMPS 2016) 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact Innovations in Mobile Privacy and Security (IMPS) is an annual workshop organised by security researchers to share recent research results. We presented a paper "Towards Automated Android App Collusion Detection" at IMPS 2016 for research dissemination.
Year(s) Of Engagement Activity 2016
URL http://conferences.inf.ed.ac.uk/IMPS/2016/index.html
 
Description "Wild Android Collusions" presented at VirusBulletin 2016 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact VirusBulletin is an annual conference for the security industry, more specifically the antivirus industry. We presented a paper at VirusBulletin 2016 for research dissemination.
Year(s) Of Engagement Activity 2016
URL https://www.virusbulletin.com/conference/vb2016/programme/
 
Description City U London Cyber Security Open Evening 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach Regional
Primary Audience Public/other audiences
Results and Impact The Computer Science department at City University London hosted a "Cyber Security Open Evening" on 11 June 2014 open to the general public. Tom Chen presented a talk describing the research on colluding Android apps funded by the EPSRC grant.
Year(s) Of Engagement Activity 2014
 
Description IEEE ICC 2015 tutorial 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Jorge Blasco and Tom Chen presented a 3 hour tutorial on Android Security at IEEE ICC 2015, on 12 June 2015. This consisted of an overview of Android security and included the research problem of Android app collusion (that the grant is for).
Year(s) Of Engagement Activity 2015
URL http://icc2015.ieee-icc.org/content/tutorials
 
Description New Scientist July 2014 issue 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Public/other audiences
Results and Impact In the July 2014 issue of New Scientist, an article titled "Phone invaders" (pp. 32-35) included quotes from Igor Muttik and Tom Chen about Android security, and mentioned the EPSRC project:
Year(s) Of Engagement Activity 2014
 
Description Project mentioned in McAfee Labs Threat Report, June 2016 
Form Of Engagement Activity A magazine, newsletter or online publication
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact McAfee Labs (now Intel Security) publishes a number of reports about the current state and trends of cyber security. Our project was described in the June 2016 Threats Report. Many people worldwide read these threat reports to understand the state of cyber security.
Year(s) Of Engagement Activity 2016
URL https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-may-2016.pdf