Detection of Malware Collusion with Static Dependence Analysis on Inter-App Communication

Danfeng Yao (PI) Barbara G. Ryder (co-PI) Funder: DARPA


Core Android functionalities heavily rely on the encapsulation of component structures and their Intent-based communication mechanisms. Poorly written or malicious applications expose sensitive user and device data and abuse system resources through inter-component communication (ICC). In this project, we will systematically investigate ICC and file-sharing based malware collusions. In malware collusion scenarios, two or more malicious Android apps work together to achieve their attack goals. The malware apps may be written by the same malicious developer. Each of the apps may appear benign, successfully passing stand-alone malware screenings.

Malware collusion is a new threat against Android application security that has not been systematically studied. Virtually all existing ICC-based program analyses (e.g., CHEX and ComDroid) are for detecting vulnerable-yet-benign apps (e.g., due to inexperienced developers). Thus, they are not suitable for detecting malware collusion. Our specific aim is to systematically characterize, analyze, and classify risky ICC paths and file sharing across two or multiple apps that lead to the leak of sensitive data, the abusing of system resources, and spoofing. We will detect malware collusions via the static analysis on inter-app communications, in order to identify risky dependence paths that are across multiple applications. Risky dependence paths are those that may leak sensitive data and access system resources to perform sensitive and privileged operations. The use of static program analysis is advantageous, because of its ability to summarize all possible execution behaviors of a program.

Two central operations of such collusion detection are:

1. (Program-analysis based app behavior characterization) To find all risky data- flow or control-flow dependence paths across any pairs of apps. For both the source app and destination app, this static program analysis operation involves identifying dependence paths involving ICC entry or exit points and sensitive data or operations.

2. (Classification) To determine whether a risky dependence path is benign or malicious. The classification can be made based on the context of the inter-app communication, with respect to pre-defined rules. For scalability, pair-wise app analysis is of quadratic complexity in the number of apps. Because program analysis is expensive, we will design modular analysis algorithms that maximally reuse the program analysis results (modularity). For accuracy, one classification approach will be on whether the data flow through inter-component communication (ICC) has valid user triggers that indicate the user's (implicit) authorization for sensitive operations.

The impact of collusion detection is the significantly improved system and program assurance for all the mobile platforms used by U.S. DoD. It provides strong protection for the confidentiality and integrity of sensitive data accessed or generated by mobile devices