Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday September 12 2017, @03:44PM   Printer-friendly
from the you-wash-my-back... dept.

Submitted via IRC for SoyCow1937

A team of Oxford and Cambridge researchers is the latest to join a chorus of voices sounding the alarm on a new attack vector named Intra-Library Collusion (ILC) that could make identifying Android malware much harder in the upcoming future.

The research team has described the ILC attack vector in a research paper released last month and named "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."

An ILC attack relies on threat actors using libraries to deliver malicious code, instead of standalone Android apps packed with all the malicious commands.

Apps usually require permissions for all the operations they need to perform. An ILC attack relies on spreading the malicious actions across several apps that use the same library(ies).

Each app gets different permissions, and malicious code packed in one app could use shared code from other apps — with higher privileges — to carry out malicious operations.

The advantage — for malware authors — is that investigators analyzing a compromised devices would see the breadth of malicious activities, but would exclude certain apps as the infection's source because they do not possess all the permissions needed to execute the attack.

Source: https://www.bleepingcomputer.com/news/security/intra-library-collusion-attacks-open-the-door-for-a-whole-new-kind-of-android-malware/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @05:32PM (5 children)

    by Anonymous Coward on Tuesday September 12 2017, @05:32PM (#566866)

    Why doesn't an app require an inter-process communication privilege? Is not IPC also a matter of I/O.

    Idiot programmers.

  • (Score: 3, Insightful) by DannyB on Tuesday September 12 2017, @05:55PM (4 children)

    by DannyB (5839) Subscriber Badge on Tuesday September 12 2017, @05:55PM (#566878) Journal

    Maybe the communication is conducted in some less obvious way. Maybe by reading / writing files in some out of the way sub sub sub folder somewhere. The two colluding apps don't have to exfiltrate your contacts list in one second, when one week or one month would do just fine for the attacker as long as he gets your contacts list.

    Maybe app A with WiFi, and App B with Contacts list both communicate in some covert way with App C who facilitates communication between A and B. Maybe with strange blocks of pixels that briefly appear and disappear from the screen.

    Android apps can publish and subscribe to "intents". That could be used as a covert way to communicate.

    Or manipulate some global state in a way that could be used to communicate. How long and how often a wakelock is used to send packets of dot-dit messages of short and long wakelocks. Or maybe one app quickly consumes and then releases a huge amount of some system resource such as memory or storage.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @06:01PM (2 children)

      by Anonymous Coward on Tuesday September 12 2017, @06:01PM (#566884)

      None of which require a "library".

      There's an unregulated communication channel, unrelated to using a library or dynamic linking.

      • (Score: 2) by Nerdfest on Tuesday September 12 2017, @06:36PM (1 child)

        by Nerdfest (80) on Tuesday September 12 2017, @06:36PM (#566900)

        That's what this is looking like to me as well. One app just registers as an intent listener and the other fires the info across that way. I don't think this is using arbitrary shared library instances. I could be wrong.

        • (Score: 2) by DannyB on Wednesday September 13 2017, @05:28PM

          by DannyB (5839) Subscriber Badge on Wednesday September 13 2017, @05:28PM (#567306) Journal

          It doesn't *require* a library. But the point of a library is that the author of the App is Unaware of the nefarious code buried in his app. The library author is trying to take advantage of two different Apps, by two different authors, having a set of privileges that when combined yield some capability to do harm that neither app alone could accomplish -- and unbeknownst to either app's author, and possibly to the Google Play store.

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 0) by Anonymous Coward on Tuesday September 12 2017, @07:20PM

      by Anonymous Coward on Tuesday September 12 2017, @07:20PM (#566926)

      so wait, why would something with wifi permissions need access to my contact list? wouldnt the application that I am using to read from the list need access to the content list, then the application relies on the OS, which then would have the permissions to determine what method to connect to a network would be?

      shouldnt the contact list be at least that many steps removed from the network interface? what happened to the OSI model? it is not perfect and tcp ip doesn't match, but who in their right mind would

      ha silly me. we have iot things too, i forgot