Submitted via IRC for SoyCow1937
A team of Oxford and Cambridge researchers is the latest to join a chorus of voices sounding the alarm on a new attack vector named Intra-Library Collusion (ILC) that could make identifying Android malware much harder in the upcoming future.
The research team has described the ILC attack vector in a research paper released last month and named "Intra-Library Collusion: A Potential Privacy Nightmare on Smartphones."
An ILC attack relies on threat actors using libraries to deliver malicious code, instead of standalone Android apps packed with all the malicious commands.
Apps usually require permissions for all the operations they need to perform. An ILC attack relies on spreading the malicious actions across several apps that use the same library(ies).
Each app gets different permissions, and malicious code packed in one app could use shared code from other apps — with higher privileges — to carry out malicious operations.
The advantage — for malware authors — is that investigators analyzing a compromised devices would see the breadth of malicious activities, but would exclude certain apps as the infection's source because they do not possess all the permissions needed to execute the attack.
(Score: 2) by maxwell demon on Tuesday September 12 2017, @08:07PM (1 child)
Code sharing doesn't lead to privilege escalation. On a normal Linux system, the user binaries share the complete C library (and quite a few others) with services running as root, without allowing me to gain root privileges that way.
But that is completely unrelated to dynamic linking. Passing data that way requires data memory sharing, not code memory sharing.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by frojack on Tuesday September 12 2017, @10:55PM
Which suggests the hand wringing worry about detecting this new attack vector may be overwrought, and this is not an un solvable problem. You would have to look for data writes to on-device locations that might be accessible to multiple libraries.
There can be several mechanism whereby something is written by one library in a place the other library knows how to get at it. That place could be somewhere in memory on the device, or somewhere on the internet. TFA suggests multiple separate apps each having one or more privileges that can be combined to steal information. But these actions don't have to happen all at the same time, nor have data stored all on the same device, or even on the same remote mother-ship spy site. You could use meaningless file names, hidden files, or simply open unix sockets (or internet sockets) and pass data that way.
Then you sit back and wait for joe user to install the second, or third, app, until you have assembled your entire attack vector out of pieces and parts.
No, you are mistaken. I've always had this sig.