在眾多智慧型手機系統中，Android已經變成越來越受歡迎的手機系統。隨著高使用率，越來越多手機程式被下載並且為Android平台帶來大量利益。Android系統容易被吸引成為攻擊的目標，惡意程式的增長更為顯著。現存的Android惡意軟體已達到650,000。儘管Android的防禦為permission機制，若手機程式之間不當的使用ICC溝通，則會造成越權的問題，這是一種未授權某些敏感權限的手機程式透過觸發其他已授權該敏感權限的手機元件進行溝通與傳遞資料的行為。近年來，共謀攻擊更是越權問題中的一部分。共謀攻擊主要是由一群軟體一起完成共謀的目的。現在的防禦軟體很難檢測出單一共謀的軟體的惡意行為。過去的研究主要從檢測一對軟體的權限來限制其溝通能力。然而，這類的防禦機制無法抵抗多層次共謀攻擊。多層次共謀攻擊乃分散其惡意行為至多個共謀軟體，每個軟體沒有完整的惡意行為和敏感路徑可供防禦機制檢測。
我們提供一個多層次共謀攻擊漏洞檢測方法-Droidivision，可以分析存在使用者手機中的軟體是否存在可能的共謀行為的弱點。本方法不同於檢測手機的溝通和權限，本方法藉由建構出惡意程式中的API關係架構以模擬出可能的惡意共謀行為，並檢測使用者手機中存在多層次共謀應用程式組合與惡意目的。我們實際收集惡意程式家族中潛在的部分惡意共謀行為，並檢測由Google Play下載的2,000隻良性手機程式，發現有74%的手機程式存在可疑的共謀行為。本方法可以幫助有效地修正過去的權限機制與ICC溝通檢測機制的共謀防禦策略，降低其誤判機率，並指出共謀手機程式潛藏的共謀行為與惡意目的以抵禦多層次共謀攻擊。

Among the various smartphone operating systems, Android becomes more and more popular in the mobile operating system. With highly popularity of Android users, there are over 50 billion downloaded apps and the Android platforms have generated high benefit, which has attracted cyber criminals and increased malware in Android platforms at an alarming rate. Android malware samples are even over 650,000. Although Android security mechanism is based on permission model, the applications, improperly use inter-component communication (ICC) which lead to privilege escalation attacks which an unprivileged application can perform operations by invoking other applications having required privileges. Recently, the collusion attack is one of privilege escalation attacks. The collusion attack is composed of colluding applications and working together. It is difficult to detect because the malicious behaviors are incomplete on one colluding application. Previous researcher restricted communication on permissions between a paired applications. Unfortunately, the detection system has a lower resistance to the multiple layer collusion attacks which the malicious behaviors can divide to several parts with less permissions. Colluding applications escape from malware detection through incomplete malicious behavior and no sensitive paths.
In this paper, we provide a Vulnerability Analysis system named as Droidivision that can analyze the colluding behaviors of applications against Multiple Layer Collusion Attack. Droidivision may be useful for Android users and help users to check applications, whether applications have vulnerability of multiple layer collusion attacks. Additionally, our proposed approaches no longer just focus on inter component communication and permissions between colluding applications. We trace the relationship of sensitive API calls and inter-component communication by constructing main malicious intent from each malware family with API Invocation Graph. Droidivision can simulate malicious intent from malware families which can identify potential colluding behaviors of colluding applications against the multiple layer collusion attack in the smartphone. Our experiments check 2,000 applications from Google Play with colluding behaviors of malware families. The proposed approaches detects a total of 74% vulnerable applications which have the colluding behaviors of known malicious intent. The results of experiments show that collected benign applications have partial malwares source or sink behaviors, which probably arises Multiple Layer Colluding Attacks. We also provide three case studies presenting the potential colluding applications performing colluding behaviors of three kind of malicious intents. Comparing existing permission-based and inter-component communication collusion detection policies which may trigger a large number of false alerts in benign apps pairs, our proposed approaches can efficiently point out the colluding behaviors of benign apps against multiple layer collusion attacks.

[1] S. Fiegerman, JAN 2014. [Online]. Available: http://thenextweb.com/google/2014/06/25/google-activations-io-2014/
[2] Statista, Cumulative number of apps downloaded from the google play android app store as of july 2013, Jul 2013. [Online]. Available: http://www.statista.com/statistics/281106/number-of-android-app-downloads-from-google-play/
[3] S. Vanja Svajcer, Principal Researcher, “Sophos mobile security threat report,” inTechnical report, Sophos, 2014.
[4] S. James Lyne, Global Head of Security Research, “Sophos trends and predictions2015,” in Technical report, Sophos, 2015.
[5] Android Open Source project. Security and permissions,http://developer.android.com/guide/ topics/security/security.html, April 2011.[Online]. Available: http://developer.android.com/guide/topics/security/security.html
[6] L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy, “Privilege escalationattacks on android,” in Information Security. Springer, 2011, pp. 346–360.
[7] R. Schlegel, K. Zhang, X.-y. Zhou, M. Intwala, A. Kapadia, and X. Wang, Soundcomber: A stealthy and context-aware sound trojan for smartphones,” in NDSS, vol. 11, 2011, pp. 17–33.
[8] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “Xmandroid: A new android evolution to mitigate privilege escalation attacks,” Technische Universit ぴat Darmstadt, Technical Report TR-2011-04, 2011.
[9] C. Marforio, H. Ritzdorf, A. Francillon, and S. Capkun, “Analysis of the communication between colluding applications on modern smartphones,” in Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 2012, pp. 51–60.
[10] R. Schlegel, K. Zhang, X.-y. Zhou, M. Intwala, A. Kapadia, and X. Wang,“Soundcomber: A stealthy and context-aware sound trojan for smartphones,” in NDSS, vol. 11, 2011, pp. 17–33.
[11] K. RU, “Vulnerability detection of multiple layer colluding application through intent privilege checking,” 2014.
[12] Arxan, “State of security in the app economy: Mobile apps under attack,” in Arxan Technologies. Research Report., 2013. [Online]. Available: https://www.arxan.com/wp-content/uploads/assets1/pdf/State of Security in the App Economy Report Vol. 2.pdf
[13] W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces,” in Proceedings of the second ACM conference on Data and Application Security and Privacy. ACM, 2012, pp. 317–326.
[14] H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck, “Structural detection of android malware using embedded call graphs,” in Proceedings of the 2013 ACM workshop on Artificial intelligence and security. ACM, 2013, pp. 45–54.
[15] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, “Chex: statically vetting android apps for component hijacking vulnerabilities,” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 229– 240.
[16] M. Zhang, Y. Duan, H. Yin, and Z. Zhao, “Semantics-aware android malware classification using weighted contextual api dependency graphs,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014, pp. 1105–1116.
[17] C. Marforio, A. Francillon, S. Capkun, S. Capkun, and S. Capkun, Application collusion attack on the permission-based security model and its implications for modern smartphone systems. Department of Computer Science, ETH Zurich, 2011.
[18] F.Wei, S. Roy, X. Ou et al., “Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014, pp. 1329–1341.
[19] Intent—Android Developers, http://developer.android.com/reference/android/content/Intent.html.
[20] Manifest.permission — Android Developers, http://developer.android.com/reference/android/Manifest.permission.html.
[21] S. Arzt, S. Rasthofer, and E. Bodden, “Susi: A tool for the fully automated classification and categorization of android sources and sinks.” Mai, 2013. [Online]. Available: https://www.informatik.tu-darmstadt.de/fileadmin/ user upload/Group CASED/Publikationen/TUD-CS-2013-0114.pdf
[22] M. Lange, S. Liebergeld, A. Lackorzynski, A. Warg, and M. Peter, “L4android: a generic operating system framework for secure smartphones,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2011, pp. 39–50.
[23] Y. Park, C. Lee, C. Lee, J. Lim, S. Han, M. Park, and S.-J. Cho, “Rgbdroid: a novel response-based approach to android privilege escalation attacks,” in Proceedings of the 5th USENIX conference on Large-Scale Exploits and Emergent Threats, LEET, vol. 12, 2012, pp. 9–9.
[24] L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang, “Chex: statically vetting android apps for component hijacking vulnerabilities,” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 229–240.
[25] A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin, “Permission redelegation: Attacks and defenses,” in USENIX Security Symposium, 2011.
[26] Y. Zhongyang, Z. Xin, B. Mao, and L. Xie, “Droidalarm: an all-sided static analysis tool for android privilege-escalation malware,” in Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, 2013, pp. 353–358.
[27] S. Bugiel, S. Heuser, and A.-R. Sadeghi, “Flexible and fine-grained mandatory access control on android for diverse security and privacy policies.” in Usenix security, 2013, pp. 131–146.
[28] W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou, “Fast, scalable detection of piggybacked mobile applications,” in Proceedings of the third ACM conference on Data and application security and privacy. ACM, 2013, pp. 185–196.
[29] E. Chin, A. P. Felt, K. Greenwood, and D. Wagner, “Analyzing inter-application communication in android,” in Proceedings of the 9th international conference on Mobile systems, applications, and services. ACM, 2011, pp. 239–252.
[30] P. P. Chan, L. C. Hui, and S.-M. Yiu, “Droidchecker: analyzing android applications for capability leak,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 2012, pp. 125–136.
[31] M. Zhang and H. Yin, “Appsealer: Automatic generation of vulnerability-specific patches for preventing component hijacking attacks in android applications,” in Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS 2014), 2014.
[32] D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. Le Traon, “Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis,” in Usenix security, 2013.
[33] K. S. Han, Y. Lee, B. Jiang, and E. G. Im, “Android permission system violation: Case study and refinement,” vol. 4, no. 1. IGI Global, 2013, pp. 16–27.
[34] M. Rangwala, P. Zhang, X. Zou, and F. Li, “A taxonomy of privilege escalation attacks in android applications,” International Journal of Security and Networks, vol. 9, no. 1, pp. 40–55, 2014.
[35] H. Gunadi and A. Tiu, “Efficient runtime monitoring with metric temporal logic: A case study in the android operating system,” in FM 2014: Formal Methods. Springer, 2014, pp. 296–311.
[36] M. C. Grace, Y. Zhou, Z.Wang, and X. Jiang, “Systematic detection of capability leaks in stock android smartphones,” in NDSS, 2012.
[37] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,”in Security and Privacy (SP), 2012 IEEE Symposium on, 2012, pp. 95–109.
[38] C. Gibler, J. Crussell, J. Erickson, and H. Chen, AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer, 2012.
[39] D. Sbふırlea, M. G. Burke, S. Guarnieri, M. Pistoia, and V. Sarkar, “Automatic detection of inter-application permission leaks in android applications,” IBM Journal of Research and Development, vol. 57, no. 6, pp. 10–1, 2013.
[40] X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and,K. Nahrstedt, “Identity, location, disease and more: Inferring your secrets from, android public resources,” in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013, pp. 1017–1028.
[41] L. Li, A. Bartel, J. Klein, and Y. Le Traon, “Using a path matching algorithm to detect inter-component leaks in android apps,” in Grande Region Security and Reliability Day 2014, 2014.
[42] C. Fritz, S. Arzt, S. Rasthofer, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel, “Highly precise taint analysis for android applications,”EC SPRIDE, TU Darmstadt, Tech. Rep, 2013.
[43] V. Moonsamy, M. Alazab, and L. Batten, “Towards an understanding of the impact of advertising on data leaks,” International journal of security and networks, vol. 7, no. 3, pp. 181–193, 2012.
[44] X. Cui, D. Yu, P. Chan, L. C. Hui, S. Yiu, and S. Qing, “Cochecker: Detecting capability and sensitive data leaks from component chains in android,” in Information Security and Privacy. Springer, 2014, pp. 446–453.
[45] Androguard, https://code.google.com/p/androguard/.
[46] smali-cfg, https://github.com/EugenioDelfa/Smali-CFGs.
[47] S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, and A.-R. Sadeghi, “Xmandroid: A new android evolution to mitigate privilege escalation attacks,” Technische Universit ぴat Darmstadt, Technical Report TR-2011-04, 2011.
[48] K. O. Elish, D. D. Yao, and B. G. Ryder, “On the need of precise inter-app icc classification for detecting android malware collusions,” in Proceedings of IEEE Mobile Security Technologies (MoST), in conjunction with the IEEE Symposium on Security and Privacy, 2015.