Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday September 12 2017, @03:44PM   Printer-friendly
from the you-wash-my-back... dept.

Submitted via IRC for SoyCow1937

A team of Oxford and Cambridge researchers is the latest to join a chorus of voices sounding the alarm on a new attack vector named Intra-Library Collusion (ILC) that could make identifying Android malware much harder in the upcoming future.

The research team has described the ILC attack vector in a research paper released last month and named "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."

An ILC attack relies on threat actors using libraries to deliver malicious code, instead of standalone Android apps packed with all the malicious commands.

Apps usually require permissions for all the operations they need to perform. An ILC attack relies on spreading the malicious actions across several apps that use the same library(ies).

Each app gets different permissions, and malicious code packed in one app could use shared code from other apps — with higher privileges — to carry out malicious operations.

The advantage — for malware authors — is that investigators analyzing a compromised devices would see the breadth of malicious activities, but would exclude certain apps as the infection's source because they do not possess all the permissions needed to execute the attack.

Source: https://www.bleepingcomputer.com/news/security/intra-library-collusion-attacks-open-the-door-for-a-whole-new-kind-of-android-malware/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Insightful) by Anonymous Coward on Tuesday September 12 2017, @03:54PM (1 child)

    by Anonymous Coward on Tuesday September 12 2017, @03:54PM (#566790)

    There's nothing about Malware that is in any way interesting; it's the most rudimentary stuff ever—that's why our view of the malware hacker is a slobbish teenager in Eastern Europe, rather than a monocled mad scientist with crazy hair; a child could figure out most of these exploits.

    Software SUCKS. It's the worst; everybody lauds the low barrier to entry (if you've got a computer, you can code), but that is exactly the reason why everything is horrible. Just whip open any software project's source in an editor, and you'll be presented immediately with trash.

    As much as possible, don't use other people's software, and if you do, jail that junk.

    • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @06:09PM

      by Anonymous Coward on Tuesday September 12 2017, @06:09PM (#566888)

      It's true. I wrote viruses as a teen. I was a poor teenager who couldn't afford a compiler, so I wrote macro viruses for an unpopular platform which meant they didn't spread very far. As soon as I found a copy of gcc I began writing more constructive software starting with games.

  • (Score: 3, Insightful) by fustakrakich on Tuesday September 12 2017, @03:59PM (14 children)

    by fustakrakich (6150) on Tuesday September 12 2017, @03:59PM (#566792) Journal

    All apps should be statically linked and fully isolated from each other. Sure, it takes up more space, but that really isn't an issue anymore.

    --
    La politica e i criminali sono la stessa cosa..
    • (Score: 1, Informative) by Anonymous Coward on Tuesday September 12 2017, @04:17PM (13 children)

      by Anonymous Coward on Tuesday September 12 2017, @04:17PM (#566804)

      It doesn't sound like a problem related to dynamic linking.

      The issue seems to be that some forms of library calls on android can cross privilege boundaries, allowing an app with less privileges to call functions in a library with more privileges, and the library operations work with elevated privileges. This seems like a broken by design security model.

      Libraries (dynamic or otherwise) on normal operating systems don't work this way.

      • (Score: 1, Interesting) by Anonymous Coward on Tuesday September 12 2017, @04:32PM

        by Anonymous Coward on Tuesday September 12 2017, @04:32PM (#566815)

        How can it be that a multi-billion-dollar organization that employs for Big Bucks almost exclusively the creme-de-la-creme of the intelligentsia can produce such obvious flaws? HOW?!

        I've spent much time around those "smart" people; they're not that smart—or, perhaps more accurately: They don't give a fuck; it doesn't tickle them to make something well, but rather it tickles them to make other people feel that they've made something well, especially for money. It's all junk.

      • (Score: 2, Interesting) by Anonymous Coward on Tuesday September 12 2017, @04:33PM (10 children)

        by Anonymous Coward on Tuesday September 12 2017, @04:33PM (#566819)

        It doesn't sound like a problem related to dynamic linking.

        But it *is* related to dynamic linking. It's because the library is used by app A which has permission set P1 as well as app B which has permission set P2, thus giving the library L the permission set (P1 + P2). *that* is exactly the problem.

        Libraries (dynamic or otherwise) on normal operating systems don't work this way.

        You're right on spot there... "on NORMAL operating systems"...

        • (Score: 2) by Runaway1956 on Tuesday September 12 2017, @05:01PM (8 children)

          by Runaway1956 (2926) Subscriber Badge on Tuesday September 12 2017, @05:01PM (#566843) Journal

          So - I'm thinking - on a multiuser system, it's the user, not the app, that is assigned permissions. Super User and/or Root have all these magical permissions, while, I, a mere user, am restricted in many ways. SU uses some of the same libraries that I use, sometimes, even at the same time. But the system doesn't get confused, and grant me SU powers because we are using the same libraries.

          Trying to assign permissions to libraries seems a damned half assed way to address security issues. Did they just take all of Microsoft's worst ideas, and try to make them even worse?

          How about we all just decide NOT to install random apps, published by unknown, faceless people, about whom we know NOTHING.

          Oh hell, that's just to simple a solution. Everyone needs bling on their little electronic screen.

          • (Score: 2, Funny) by fustakrakich on Tuesday September 12 2017, @05:12PM

            by fustakrakich (6150) on Tuesday September 12 2017, @05:12PM (#566852) Journal

            Everyone needs bling on their little electronic screen.

            Well, the weather apps are nice, if they could predict the weather...

            And the need for Solitaire? I would hope that goes without mentioning...

            --
            La politica e i criminali sono la stessa cosa..
          • (Score: 1, Touché) by Anonymous Coward on Tuesday September 12 2017, @05:15PM

            by Anonymous Coward on Tuesday September 12 2017, @05:15PM (#566855)

            >So - I'm thinking - on a multiuser system, it's the user, not the app, that is assigned permissions.

            But on mobile, user is the product, while app distributors are customers. A different ownership model.

          • (Score: 5, Funny) by DannyB on Tuesday September 12 2017, @05:45PM

            by DannyB (5839) Subscriber Badge on Tuesday September 12 2017, @05:45PM (#566872) Journal

            Did they just take all of Microsoft's worst ideas, and try to make them even worse?

            That would be unwise indeed. Microsoft patented all of its worst ideas. Taking them, let alone modifying them, would surely invite a patent infringement lawsuit.

            --
            People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:54PM (3 children)

            by Anonymous Coward on Tuesday September 12 2017, @05:54PM (#566875)

            Trying to assign permissions to libraries seems a damned half assed way to address security issues.

            Take a look at the sudo binary. It's got the setuid flag set and is owned by root. This is why, when you sudo something, whatever you run, runs as root. Sudo just validates a password and if successful, runs the binary you tell it to run in its own context (i.e. as user 0 - root)

            • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:40PM

              by Anonymous Coward on Tuesday September 12 2017, @07:40PM (#566934)

              And them what?

            • (Score: 2) by maxwell demon on Tuesday September 12 2017, @08:00PM (1 child)

              by maxwell demon (1608) on Tuesday September 12 2017, @08:00PM (#566941) Journal

              That's not a library.

              --
              The Tao of math: The numbers you can count are not the real numbers.
              • (Score: 0) by Anonymous Coward on Wednesday September 13 2017, @01:53AM

                by Anonymous Coward on Wednesday September 13 2017, @01:53AM (#567045)

                Indeed, but it is permissions assigned to code, as opposed to the thing that invokes the code.

          • (Score: 2) by Nerdfest on Tuesday September 12 2017, @05:54PM

            by Nerdfest (80) on Tuesday September 12 2017, @05:54PM (#566876)

            They do assign permissions based on user, but every app has a different userid. Not sure how this works, or whether it's just a bug or a serious architectural failing.

        • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:57PM

          by Anonymous Coward on Tuesday September 12 2017, @05:57PM (#566879)

          The terminology seems to be messing up our understanding. Since libraries work one way on normal operating systems, and another way on Android.

          On a *normal* os, dynamic linking loads library code into the process's memory space and runs with its privileges. Or, it stays within privilege boundaries.

          On "android", dynamic linking is another form of IPC sending unregulated data to some "library"? It crosses privilege boundaries?

          Using "dynamic linking" or just a "library" on andoid seems like a different thing. It should probably have its own terminology since those words don't seem to mean what we think they do. (in the context of Android.)

      • (Score: 1, Interesting) by Anonymous Coward on Tuesday September 12 2017, @04:43PM

        by Anonymous Coward on Tuesday September 12 2017, @04:43PM (#566829)

        This.

        It's not the linking that's the problem, its the uncontrolled communication channel between the app with privileges to read the private data and the app with privileges to expatriate it. This hack goes through an extra library, but it could go through any superstitiously shared memory area - photo metadata or anything else that sounds innocent enough.

  • (Score: 1, Funny) by Anonymous Coward on Tuesday September 12 2017, @04:24PM (4 children)

    by Anonymous Coward on Tuesday September 12 2017, @04:24PM (#566809)

    From TFA:

    A team of Oxford and Cambridge researchers is the latest to join a chorus of voices sounding the alarm on a new attack vector named Intra-Library Collusion (ILC) that could make identifying Android malware much harder in the upcoming future.

    I'm so glad this only affects the upcoming future. It would be so much worse if this was a threat in the previous future too! The Android folks are clearly on our side!

    Or is the author [bleepingcomputer.com] of TFA just a moron?

    • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @04:28PM (2 children)

      by Anonymous Coward on Tuesday September 12 2017, @04:28PM (#566812)
      • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:22PM (1 child)

        by Anonymous Coward on Tuesday September 12 2017, @05:22PM (#566860)

        Original AC here.

        You can post all the google searches you want, but the future is *always* upcoming -- or it wouldn't be the future. As such, it's redundant and poor usage. If many people use a phrase like that, it's just many people eschewing clear, concise language. A million lemmings can't be wrong, can they?

        Additional stupidity includes the likes of "more unique."

        • (Score: 1, Funny) by Anonymous Coward on Tuesday September 12 2017, @06:01PM

          by Anonymous Coward on Tuesday September 12 2017, @06:01PM (#566883)
          Some futures are more possible than others. Supposedly the upcoming ones ;).
    • (Score: 2) by Runaway1956 on Tuesday September 12 2017, @05:04PM

      by Runaway1956 (2926) Subscriber Badge on Tuesday September 12 2017, @05:04PM (#566846) Journal

      I think the upcoming future was steamrolled by the downgoing past.

  • (Score: 5, Informative) by bob_super on Tuesday September 12 2017, @04:45PM (1 child)

    by bob_super (1357) on Tuesday September 12 2017, @04:45PM (#566830)

    So, if you download the hairspray app and the deodorant app, when you start using the makeup app, you die laughing?

    • (Score: 2) by ilsa on Tuesday September 12 2017, @10:33PM

      by ilsa (6082) Subscriber Badge on Tuesday September 12 2017, @10:33PM (#566992)

      That's basically it, actually. Excellent analogy.

  • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @04:50PM (14 children)

    by Anonymous Coward on Tuesday September 12 2017, @04:50PM (#566833)

    Shouldn't library code always run with the privileges of the application calling it?

    • (Score: 2) by The Mighty Buzzard on Tuesday September 12 2017, @04:58PM (6 children)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@proton.me> on Tuesday September 12 2017, @04:58PM (#566839) Homepage Journal

      It does. It's just a malicious library being used for message passing between two malicious apps. This isn't really much of a worry in opensource libraries. In theory anyway. In practice you may see a few instances slip through now and then.

      --
      My rights don't end where your fear begins.
      • (Score: 1) by fustakrakich on Tuesday September 12 2017, @05:17PM (5 children)

        by fustakrakich (6150) on Tuesday September 12 2017, @05:17PM (#566856) Journal

        It's just a malicious library being used for message passing between two malicious apps.

        Seems inevitable when more than one app uses the same library. I would think static linking and full isolation would mitigate that problem, but I'm bumping into some disagreement. Am I really wrong?

        --
        La politica e i criminali sono la stessa cosa..
        • (Score: 2) by frojack on Tuesday September 12 2017, @06:52PM (4 children)

          by frojack (1554) on Tuesday September 12 2017, @06:52PM (#566912) Journal

          I would think static linking and full isolation would mitigate that problem, but I'm bumping into some disagreement. Am I really wrong?

          Well I think it depends on how many other (legitimate and intended) uses of inter-app communication you kill off in the process.

          Simply emailing a link you found in a web page to a friend could become tricky. Do you link a email client into the browser, or do you build a whole browser into your email package. Who gets to call the library that reads your contacts? Who gets to do a dns inquiry? Are these all statically linked into every app?

          Sooner or later you realize the limits of this approach because you are not just going to need a "little more memory" you are going to need boat loads of memory just to load copies of all the libraries into EACH app.

          Certainly there must be a place in this world for shared dynamic libraries. Its not by accident every OS in the world uses these.

          Each use of a library, in most modern systems, has to adhere to ACLs, and permissions, etc. One app MAY be given permissions to access your contacts, and others may not.

          But if the library's only purpose (or one of its undocumented purposes) is to cache data accessed by your address book app (for speed - say), and surreptitiously pass that data to some other app the next time that app makes an innocuous library call, it gets fairly difficult to detect this.

          --
          No, you are mistaken. I've always had this sig.
          • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:16PM

            by Anonymous Coward on Tuesday September 12 2017, @07:16PM (#566925)

            i highlight the text, copy, then open the mail client and paste it into the content of a message I am writing.

            isn't that what other people do?

            any other way just adds your friends to someone else's list. People really click on the email icons on websites to share links? wow i thought that was just a way to add you and everyone else to a spam list

          • (Score: 2) by maxwell demon on Tuesday September 12 2017, @08:07PM (1 child)

            by maxwell demon (1608) on Tuesday September 12 2017, @08:07PM (#566943) Journal

            Code sharing doesn't lead to privilege escalation. On a normal Linux system, the user binaries share the complete C library (and quite a few others) with services running as root, without allowing me to gain root privileges that way.

            But if the library's only purpose (or one of its undocumented purposes) is to cache data accessed by your address book app (for speed - say), and surreptitiously pass that data to some other app the next time that app makes an innocuous library call, it gets fairly difficult to detect this.

            But that is completely unrelated to dynamic linking. Passing data that way requires data memory sharing, not code memory sharing.

            --
            The Tao of math: The numbers you can count are not the real numbers.
            • (Score: 2) by frojack on Tuesday September 12 2017, @10:55PM

              by frojack (1554) on Tuesday September 12 2017, @10:55PM (#566996) Journal

              Passing data that way requires data memory sharing, not code memory sharing.

              Which suggests the hand wringing worry about detecting this new attack vector may be overwrought, and this is not an un solvable problem. You would have to look for data writes to on-device locations that might be accessible to multiple libraries.

              There can be several mechanism whereby something is written by one library in a place the other library knows how to get at it. That place could be somewhere in memory on the device, or somewhere on the internet. TFA suggests multiple separate apps each having one or more privileges that can be combined to steal information. But these actions don't have to happen all at the same time, nor have data stored all on the same device, or even on the same remote mother-ship spy site. You could use meaningless file names, hidden files, or simply open unix sockets (or internet sockets) and pass data that way.

              Then you sit back and wait for joe user to install the second, or third, app, until you have assembled your entire attack vector out of pieces and parts.

              --
              No, you are mistaken. I've always had this sig.
          • (Score: 2) by chromas on Wednesday September 13 2017, @04:08AM

            by chromas (34) Subscriber Badge on Wednesday September 13 2017, @04:08AM (#567069) Journal

            you are going to need boat loads of memory

            Most Android applications are Java+XML, so that's covered.

    • (Score: 4, Informative) by BananaPhone on Tuesday September 12 2017, @05:00PM (6 children)

      by BananaPhone (2488) on Tuesday September 12 2017, @05:00PM (#566841)

      Nope and that's the danger:

      App A (With Network -Wifi privs only) : Yo, App B get me the contacts list.

      App B (With contacts list only) : Here you go

      App A (With Network -Wifi privs only) : Thank you. Uploading to mother-ship...

      • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:32PM (5 children)

        by Anonymous Coward on Tuesday September 12 2017, @05:32PM (#566866)

        Why doesn't an app require an inter-process communication privilege? Is not IPC also a matter of I/O.

        Idiot programmers.

        • (Score: 3, Insightful) by DannyB on Tuesday September 12 2017, @05:55PM (4 children)

          by DannyB (5839) Subscriber Badge on Tuesday September 12 2017, @05:55PM (#566878) Journal

          Maybe the communication is conducted in some less obvious way. Maybe by reading / writing files in some out of the way sub sub sub folder somewhere. The two colluding apps don't have to exfiltrate your contacts list in one second, when one week or one month would do just fine for the attacker as long as he gets your contacts list.

          Maybe app A with WiFi, and App B with Contacts list both communicate in some covert way with App C who facilitates communication between A and B. Maybe with strange blocks of pixels that briefly appear and disappear from the screen.

          Android apps can publish and subscribe to "intents". That could be used as a covert way to communicate.

          Or manipulate some global state in a way that could be used to communicate. How long and how often a wakelock is used to send packets of dot-dit messages of short and long wakelocks. Or maybe one app quickly consumes and then releases a huge amount of some system resource such as memory or storage.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @06:01PM (2 children)

            by Anonymous Coward on Tuesday September 12 2017, @06:01PM (#566884)

            None of which require a "library".

            There's an unregulated communication channel, unrelated to using a library or dynamic linking.

            • (Score: 2) by Nerdfest on Tuesday September 12 2017, @06:36PM (1 child)

              by Nerdfest (80) on Tuesday September 12 2017, @06:36PM (#566900)

              That's what this is looking like to me as well. One app just registers as an intent listener and the other fires the info across that way. I don't think this is using arbitrary shared library instances. I could be wrong.

              • (Score: 2) by DannyB on Wednesday September 13 2017, @05:28PM

                by DannyB (5839) Subscriber Badge on Wednesday September 13 2017, @05:28PM (#567306) Journal

                It doesn't *require* a library. But the point of a library is that the author of the App is Unaware of the nefarious code buried in his app. The library author is trying to take advantage of two different Apps, by two different authors, having a set of privileges that when combined yield some capability to do harm that neither app alone could accomplish -- and unbeknownst to either app's author, and possibly to the Google Play store.

                --
                People today are educated enough to repeat what they are taught but not to question what they are taught.
          • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:20PM

            by Anonymous Coward on Tuesday September 12 2017, @07:20PM (#566926)

            so wait, why would something with wifi permissions need access to my contact list? wouldnt the application that I am using to read from the list need access to the content list, then the application relies on the OS, which then would have the permissions to determine what method to connect to a network would be?

            shouldnt the contact list be at least that many steps removed from the network interface? what happened to the OSI model? it is not perfect and tcp ip doesn't match, but who in their right mind would

            ha silly me. we have iot things too, i forgot

  • (Score: 2) by RamiK on Tuesday September 12 2017, @06:47PM (2 children)

    by RamiK (1813) on Tuesday September 12 2017, @06:47PM (#566910)
    • (Score: 2) by Fnord666 on Tuesday September 12 2017, @07:15PM (1 child)

      by Fnord666 (652) on Tuesday September 12 2017, @07:15PM (#566922) Homepage
      Well, crap. At least they're close to a month apart. Thank you for pointing it out and I'll strive to do better.
      • (Score: 2) by chromas on Wednesday September 13 2017, @04:16AM

        by chromas (34) Subscriber Badge on Wednesday September 13 2017, @04:16AM (#567072) Journal

        This is coming out of your paycheck, mister!

(1)