App Collusion Detection (ACID)
Lead Research Organisation:
City, University of London
Department Name: Sch of Engineering and Mathematical Sci
Abstract
Malware has been a major problem in desktop computing for decades. With the recent trend towards mobile computing, malware is moving rapidly to smartphone apps. Our business partner McAfee alone collected 17,000 Android malware samples in the most recent quarter, double the rate of the previous year. Criminals are clearly motivated by the opportunity - about one billion smartphones will be sold in 2013, predominantly Android, with more than 10 billion apps downloaded to date.
Smartphones pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have potential capabilities for eavesdropping (with cameras/microphone, wireless connections). By design, Android is "open" in its flexibility to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions.
Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app can accomplish by itself. A basic example of collusion consists of one app permitted to access personal data, which passes the data to a second app allowed to transmit data over the network. While collusion is not a widespread threat today, it opens an avenue to circumvent Android permission restrictions that could be easily exploited by criminals to become a serious threat in the near future.
The UK Cyber Security Strategy notes that UK industry, as well as the public, needs to have confidence in a safe cyber space. Emerging privacy threats to smartphones are particularly timely to address considering the current controversies about US government data collection and monitoring of private communications. Sensitive data leakage is the main security risk posed by colluding apps, and the proposed project will help maintain users' confidence in smartphone privacy.
Currently almost all academic and industry efforts are focusing on detection of single malicious apps. Almost no attention has been given to colluding apps. The threat has been demonstrated only recently. The threat of colluding apps is challenging to detect because of the myriad and possibly stealthy ways in which apps might communicate and collude. Existing antivirus products are not designed to detect collusion. Preliminary research in the literature has not found any reliable means to detect collusion.
This project directly addresses the aims of the BACCHUS call by building an important collaboration between McAfee and academic experts in network security, intrusion detection, and formal methods to develop innovative methods for collusion detection. Our industry partner McAfee is a global leading security company with extensive facilities for monitoring, collecting, and analyzing smartphone threats.
This project aims to develop novel theoretical and practical methods to detect apps suspected of collusion and perform formal safety checking. The resulting methods will be deployed and tested by the industry partner, McAfee Labs, in their global Threat Intelligence System. If successful, the research project will help to proactively defend smart phones against the emerging threat of colluding apps. McAfee products are some of the most popular with the consumers in the UK, providing day-to-day guarding against PC and mobile threats.
Success in this project would mean a rare opportunity for the cyber security community to stay ahead of an emerging threat instead of reacting to a threat already prevalent.
Smartphones pose a particular security risk because they hold personal details (accounts, locations, contacts, photos) and have potential capabilities for eavesdropping (with cameras/microphone, wireless connections). By design, Android is "open" in its flexibility to download apps from different sources. Its security depends on restricting apps by combining digital signatures, sandboxing, and permissions.
Unfortunately, these restrictions can be bypassed, without the user noticing, by colluding apps whose combined permissions allow them to carry out attacks that neither app can accomplish by itself. A basic example of collusion consists of one app permitted to access personal data, which passes the data to a second app allowed to transmit data over the network. While collusion is not a widespread threat today, it opens an avenue to circumvent Android permission restrictions that could be easily exploited by criminals to become a serious threat in the near future.
The UK Cyber Security Strategy notes that UK industry, as well as the public, needs to have confidence in a safe cyber space. Emerging privacy threats to smartphones are particularly timely to address considering the current controversies about US government data collection and monitoring of private communications. Sensitive data leakage is the main security risk posed by colluding apps, and the proposed project will help maintain users' confidence in smartphone privacy.
Currently almost all academic and industry efforts are focusing on detection of single malicious apps. Almost no attention has been given to colluding apps. The threat has been demonstrated only recently. The threat of colluding apps is challenging to detect because of the myriad and possibly stealthy ways in which apps might communicate and collude. Existing antivirus products are not designed to detect collusion. Preliminary research in the literature has not found any reliable means to detect collusion.
This project directly addresses the aims of the BACCHUS call by building an important collaboration between McAfee and academic experts in network security, intrusion detection, and formal methods to develop innovative methods for collusion detection. Our industry partner McAfee is a global leading security company with extensive facilities for monitoring, collecting, and analyzing smartphone threats.
This project aims to develop novel theoretical and practical methods to detect apps suspected of collusion and perform formal safety checking. The resulting methods will be deployed and tested by the industry partner, McAfee Labs, in their global Threat Intelligence System. If successful, the research project will help to proactively defend smart phones against the emerging threat of colluding apps. McAfee products are some of the most popular with the consumers in the UK, providing day-to-day guarding against PC and mobile threats.
Success in this project would mean a rare opportunity for the cyber security community to stay ahead of an emerging threat instead of reacting to a threat already prevalent.
Planned Impact
ACID aims to develop new techniques for detecting the emerging threat of colluding apps. Success of this project will curtail the threat before it becomes widespread in the wild. This would have broad benefits to researchers (as discussed in Academic Beneficiaries), security and telecommunications industries, and society in general. The beneficiaries are discussed separately below.
McAfee - Our industry partner will be a beneficiary by gaining new knowledge from the research collaboration and exploiting the research results in their commercial systems. As a global leader in the cyber security field, McAfee has vast resources for monitoring, collecting, and analyzing mobile and desktop malware. However their systems are not configured to detect colluding apps because the threat has become known only recently. Through this collaboration, McAfee will gain a new understanding of the collusion threat and will be able to enhance the capabilities of their threat management system.
Cyber security industry - The broader cyber security industry will benefit through the publications of the research team and dissemination through all the channels described in the Pathways to Impact. Virtually all antivirus products and research are currently focused on detection of single malicious apps. The results of this project will help to improve the capabilities of all antivirus products.
Telecommunications industry - Most smartphones sold today are Android, and malware is a rapidly growing problem for Android, eroding public confidence. Without this project, criminals might turn colluding apps into a widespread threat in the near future. This project will help maintain confidence in smartphones which is now the most common way to connect to the Internet for many users.
Society - This project will have a number of benefits on society such as:
(i) By curtailing the Android malware problem, the project helps to maintain public confidence in using their smartphones and the Internet in general.
(ii) Public confidence will lead to continuation of a robust smartphone industry, an important component of the digital economy.
(iii) The new knowledge derived from the project will enhance the skills and knowledgebase of researchers and students.
UK Government - The government has publicly pronounced cyber security as a top national priority. The results of this project will address national issues of concern and could influence public polices related to best practices to secure mobile devices.
McAfee - Our industry partner will be a beneficiary by gaining new knowledge from the research collaboration and exploiting the research results in their commercial systems. As a global leader in the cyber security field, McAfee has vast resources for monitoring, collecting, and analyzing mobile and desktop malware. However their systems are not configured to detect colluding apps because the threat has become known only recently. Through this collaboration, McAfee will gain a new understanding of the collusion threat and will be able to enhance the capabilities of their threat management system.
Cyber security industry - The broader cyber security industry will benefit through the publications of the research team and dissemination through all the channels described in the Pathways to Impact. Virtually all antivirus products and research are currently focused on detection of single malicious apps. The results of this project will help to improve the capabilities of all antivirus products.
Telecommunications industry - Most smartphones sold today are Android, and malware is a rapidly growing problem for Android, eroding public confidence. Without this project, criminals might turn colluding apps into a widespread threat in the near future. This project will help maintain confidence in smartphones which is now the most common way to connect to the Internet for many users.
Society - This project will have a number of benefits on society such as:
(i) By curtailing the Android malware problem, the project helps to maintain public confidence in using their smartphones and the Internet in general.
(ii) Public confidence will lead to continuation of a robust smartphone industry, an important component of the digital economy.
(iii) The new knowledge derived from the project will enhance the skills and knowledgebase of researchers and students.
UK Government - The government has publicly pronounced cyber security as a top national priority. The results of this project will address national issues of concern and could influence public polices related to best practices to secure mobile devices.
People |
ORCID iD |
| Thomas Chen (Principal Investigator) |
Publications
Qadri J
(2016)
A Review of Significance of Energy-Consumption Anomaly in Malware Detection in Mobile Devices
in International Journal on Cyber Situational Awareness
Muttik I
(2015)
Android - Collusion Conspiracy
Irina Mariuca Asavoae
(2017)
Data Analytics and Decision Support for Cybersecurity
Idrees F
(2017)
PIndroid: A novel Android malware detection system using ensemble learning methods
in Computers & Security
Blasco J
(2017)
Automated generation of colluding apps for experimental research
in Journal of Computer Virology and Hacking Techniques
Blasco J
(2018)
Detection of app collusion potential using logic programming
in Journal of Network and Computer Applications
| Description | The project has been carried out as planned to investigate the problem of Android app collusion and develop methods (implemented in software) to detect collusion. The significant achievements include: 1. Creation of a substantial collection of hundreds of colluding apps for experimentation and testing. This was the result of a long process to define "app collusion" precisely. Also, two novel methods to quickly generate colluding apps (compared to manual programming from scratch) were invented. 2. A novel method to detect potentially colluding apps was developed and implemented in Prolog, which has been uploaded to Github. 3. Experiments have been carried out to use machine learning, implemented in R and Bash scripts, to detect colluding apps. 4. A novel method to detect app collusion using formal model checking has been shown to be feasible using small apps. It remains for future work to expand the method to larger apps. |
| Exploitation Route | We have made available the Prolog detector on Github for other users. We are also publishing results in academic venues as planned. We have made available to other researchers the colluding app collection and other software useful for detection. Also as part of the research plan, the detection methods has been shared with Intel Security, and they are evaluating it for suitability to incorporate into their global threat intelligence system. |
| Sectors | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| URL | http://acidproject.org.uk |
| Description | Our research findings have been shared with Intel Security (formerly McAfee). From Intel, igor Muttik and Alex Hinchliffe were active partners from the beginning of the project and throughout the project. We also visited Intel Security office at Santa Clara, California, on 4 October 2016 to share research results with Domingo Gonzalez and Irfan Asrar who are in charge of mobile security products. They are looking to incorporate the research from the project into Intel's Threat Intelligence System. Update (March 2022): Our contacts at McAfee left the company shortly after the end of the ACID project, which has made it difficult to find out more about outcomes. But we had a recent conversation with our main contact, Dr igor Muttik, who is running his own consultancy company now. From this conversation, we found out these outcomes: (1) Previously reported - Apart from academic papers, McAfee published a threat report online with a section devoted to app collusion. This had high circulation between security companies and raised awareness about the problem. (2) Recognition for apps which used MoPlus SDK was built into McAfee's backend threat intelligence system which allowed automatic classification of any apps that had this collusion risk. (3) McAfee's backend threat intelligence system had a notification added to alert researchers about any potentially colluding apps. Manual analysis in this case is required after notification in order to avoid possible false positives and to improve the notification logic if/when it triggers. In summary, our detection algorithm for colluding apps was trialled in McAfee's threat intelligence system. We do not have information about whether any colluding apps were actually found "in the wild". |
| First Year Of Impact | 2016 |
| Sector | Digital/Communication/Information Technologies (including Software),Security and Diplomacy |
| Impact Types | Economic |
| Title | Dataset of colluding Android apps |
| Description | A dataset of 240 colluding Android apps created from a new software tool called Application Collusion Engine (described in the Software section here). |
| Type Of Material | Database/Collection of data |
| Year Produced | 2016 |
| Provided To Others? | Yes |
| Impact | We have submitted a journal paper describing the Application Collusion Engine and the dataset. |
| URL | http://personal.rhul.ac.uk/udai/003/colluding_apps.zip |
| Title | Application Collusion Engine |
| Description | Application Collusion Engine (ACE) is a software tool for easily creating two or more colluding Android apps. |
| Type Of Technology | Software |
| Year Produced | 2016 |
| Impact | We are submitting a journal paper describing this software tool and a testset of colluding Android apps created from it. ACE is only available by request from T. Chen or J. Blasco because of potential misuse of it to create Android malware. However, a testset of colluding Android apps created from ACE is available from http://personal.rhul.ac.uk/udai/003/colluding_apps.zip |
| URL | http://personal.rhul.ac.uk/udai/003/colluding_apps.zip |
| Title | Prolog detector in Github |
| Description | As a result of the funded research, the team has developed a method to detect pairs of Android apps that could possibly collude (i.e., has the potential to collude) and written a Prolog program for this method. It is available on Github. |
| Type Of Technology | Software |
| Year Produced | 2016 |
| Open Source License? | Yes |
| Impact | This was put on Github very recently so no impact is known yet. |
| URL | https://github.com/acidrepo/collusion_potential_detector |
| Description | "Android Malware: they divide, we conquer" presented at 10th International CARO Workshop (CARO 2016) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | CARO is an annual workshop organised by the Computer Antivirus Research Organization, which represents the security industry, particularly the antivirus industry. We presented a paper "Android Malware: they divide, we conquer" at the CARO workshop for research dissemination. |
| Year(s) Of Engagement Activity | 2016 |
| URL | http://2016.caro.org |
| Description | "Towards Automated Android App Collusion Detection" presented at Innovations in Mobile Privacy and Security (IMPS 2016) |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | Innovations in Mobile Privacy and Security (IMPS) is an annual workshop organised by security researchers to share recent research results. We presented a paper "Towards Automated Android App Collusion Detection" at IMPS 2016 for research dissemination. |
| Year(s) Of Engagement Activity | 2016 |
| URL | http://conferences.inf.ed.ac.uk/IMPS/2016/index.html |
| Description | "Wild Android Collusions" presented at VirusBulletin 2016 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | VirusBulletin is an annual conference for the security industry, more specifically the antivirus industry. We presented a paper at VirusBulletin 2016 for research dissemination. |
| Year(s) Of Engagement Activity | 2016 |
| URL | https://www.virusbulletin.com/conference/vb2016/programme/ |
| Description | City U London Cyber Security Open Evening |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Public/other audiences |
| Results and Impact | The Computer Science department at City University London hosted a "Cyber Security Open Evening" on 11 June 2014 open to the general public. Tom Chen presented a talk describing the research on colluding Android apps funded by the EPSRC grant. |
| Year(s) Of Engagement Activity | 2014 |
| Description | IEEE ICC 2015 tutorial |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Jorge Blasco and Tom Chen presented a 3 hour tutorial on Android Security at IEEE ICC 2015, on 12 June 2015. This consisted of an overview of Android security and included the research problem of Android app collusion (that the grant is for). |
| Year(s) Of Engagement Activity | 2015 |
| URL | http://icc2015.ieee-icc.org/content/tutorials |
| Description | New Scientist July 2014 issue |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Public/other audiences |
| Results and Impact | In the July 2014 issue of New Scientist, an article titled "Phone invaders" (pp. 32-35) included quotes from Igor Muttik and Tom Chen about Android security, and mentioned the EPSRC project: |
| Year(s) Of Engagement Activity | 2014 |
| Description | Project mentioned in McAfee Labs Threat Report, June 2016 |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | McAfee Labs (now Intel Security) publishes a number of reports about the current state and trends of cyber security. Our project was described in the June 2016 Threats Report. Many people worldwide read these threat reports to understand the state of cyber security. |
| Year(s) Of Engagement Activity | 2016 |
| URL | https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-may-2016.pdf |