SoylentNews is people
SoylentNews
Submitted via IRC for SoyCow1937
A team of Oxford and Cambridge researchers is the latest to join a chorus of voices sounding the alarm on a new attack vector named Intra-Library Collusion (ILC) that could make identifying Android malware much harder in the upcoming future.
The research team has described the ILC attack vector in a research paper released last month and named "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."
An ILC attack relies on threat actors using libraries to deliver malicious code, instead of standalone Android apps packed with all the malicious commands.
Apps usually require permissions for all the operations they need to perform. An ILC attack relies on spreading the malicious actions across several apps that use the same library(ies).
Each app gets different permissions, and malicious code packed in one app could use shared code from other apps — with higher privileges — to carry out malicious operations.
The advantage — for malware authors — is that investigators analyzing a compromised devices would see the breadth of malicious activities, but would exclude certain apps as the infection's source because they do not possess all the permissions needed to execute the attack.
(Score: 0) by Anonymous Coward on Tuesday September 12 2017, @04:50PM (14 children)
Shouldn't library code always run with the privileges of the application calling it?
(Score: 2) by The Mighty Buzzard on Tuesday September 12 2017, @04:58PM (6 children)
It does. It's just a malicious library being used for message passing between two malicious apps. This isn't really much of a worry in opensource libraries. In theory anyway. In practice you may see a few instances slip through now and then.
My rights don't end where your fear begins.
(Score: 1) by fustakrakich on Tuesday September 12 2017, @05:17PM (5 children)
It's just a malicious library being used for message passing between two malicious apps.
Seems inevitable when more than one app uses the same library. I would think static linking and full isolation would mitigate that problem, but I'm bumping into some disagreement. Am I really wrong?
La politica e i criminali sono la stessa cosa..
(Score: 2) by frojack on Tuesday September 12 2017, @06:52PM (4 children)
Well I think it depends on how many other (legitimate and intended) uses of inter-app communication you kill off in the process.
Simply emailing a link you found in a web page to a friend could become tricky. Do you link a email client into the browser, or do you build a whole browser into your email package. Who gets to call the library that reads your contacts? Who gets to do a dns inquiry? Are these all statically linked into every app?
Sooner or later you realize the limits of this approach because you are not just going to need a "little more memory" you are going to need boat loads of memory just to load copies of all the libraries into EACH app.
Certainly there must be a place in this world for shared dynamic libraries. Its not by accident every OS in the world uses these.
Each use of a library, in most modern systems, has to adhere to ACLs, and permissions, etc. One app MAY be given permissions to access your contacts, and others may not.
But if the library's only purpose (or one of its undocumented purposes) is to cache data accessed by your address book app (for speed - say), and surreptitiously pass that data to some other app the next time that app makes an innocuous library call, it gets fairly difficult to detect this.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:16PM
i highlight the text, copy, then open the mail client and paste it into the content of a message I am writing.
isn't that what other people do?
any other way just adds your friends to someone else's list. People really click on the email icons on websites to share links? wow i thought that was just a way to add you and everyone else to a spam list
(Score: 2) by maxwell demon on Tuesday September 12 2017, @08:07PM (1 child)
Code sharing doesn't lead to privilege escalation. On a normal Linux system, the user binaries share the complete C library (and quite a few others) with services running as root, without allowing me to gain root privileges that way.
But that is completely unrelated to dynamic linking. Passing data that way requires data memory sharing, not code memory sharing.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by frojack on Tuesday September 12 2017, @10:55PM
Which suggests the hand wringing worry about detecting this new attack vector may be overwrought, and this is not an un solvable problem. You would have to look for data writes to on-device locations that might be accessible to multiple libraries.
There can be several mechanism whereby something is written by one library in a place the other library knows how to get at it. That place could be somewhere in memory on the device, or somewhere on the internet. TFA suggests multiple separate apps each having one or more privileges that can be combined to steal information. But these actions don't have to happen all at the same time, nor have data stored all on the same device, or even on the same remote mother-ship spy site. You could use meaningless file names, hidden files, or simply open unix sockets (or internet sockets) and pass data that way.
Then you sit back and wait for joe user to install the second, or third, app, until you have assembled your entire attack vector out of pieces and parts.
No, you are mistaken. I've always had this sig.
(Score: 2) by chromas on Wednesday September 13 2017, @04:08AM
Most Android applications are Java+XML, so that's covered.
(Score: 4, Informative) by BananaPhone on Tuesday September 12 2017, @05:00PM (6 children)
Nope and that's the danger:
App A (With Network -Wifi privs only) : Yo, App B get me the contacts list.
App B (With contacts list only) : Here you go
App A (With Network -Wifi privs only) : Thank you. Uploading to mother-ship...
(Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:32PM (5 children)
Why doesn't an app require an inter-process communication privilege? Is not IPC also a matter of I/O.
Idiot programmers.
(Score: 3, Insightful) by DannyB on Tuesday September 12 2017, @05:55PM (4 children)
Maybe the communication is conducted in some less obvious way. Maybe by reading / writing files in some out of the way sub sub sub folder somewhere. The two colluding apps don't have to exfiltrate your contacts list in one second, when one week or one month would do just fine for the attacker as long as he gets your contacts list.
Maybe app A with WiFi, and App B with Contacts list both communicate in some covert way with App C who facilitates communication between A and B. Maybe with strange blocks of pixels that briefly appear and disappear from the screen.
Android apps can publish and subscribe to "intents". That could be used as a covert way to communicate.
Or manipulate some global state in a way that could be used to communicate. How long and how often a wakelock is used to send packets of dot-dit messages of short and long wakelocks. Or maybe one app quickly consumes and then releases a huge amount of some system resource such as memory or storage.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday September 12 2017, @06:01PM (2 children)
None of which require a "library".
There's an unregulated communication channel, unrelated to using a library or dynamic linking.
(Score: 2) by Nerdfest on Tuesday September 12 2017, @06:36PM (1 child)
That's what this is looking like to me as well. One app just registers as an intent listener and the other fires the info across that way. I don't think this is using arbitrary shared library instances. I could be wrong.
(Score: 2) by DannyB on Wednesday September 13 2017, @05:28PM
It doesn't *require* a library. But the point of a library is that the author of the App is Unaware of the nefarious code buried in his app. The library author is trying to take advantage of two different Apps, by two different authors, having a set of privileges that when combined yield some capability to do harm that neither app alone could accomplish -- and unbeknownst to either app's author, and possibly to the Google Play store.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:20PM
so wait, why would something with wifi permissions need access to my contact list? wouldnt the application that I am using to read from the list need access to the content list, then the application relies on the OS, which then would have the permissions to determine what method to connect to a network would be?
shouldnt the contact list be at least that many steps removed from the network interface? what happened to the OSI model? it is not perfect and tcp ip doesn't match, but who in their right mind would
ha silly me. we have iot things too, i forgot