How shared Android libraries could be weaponized for data theft

Android users know the routine: download an app and a box appears asking for permission to talk to other apps. Knowing that the app needs that access to work properly, the user clicks “OK” without a second thought. But what happens when one app abuses that access to tamper with another?

The answer, according to Oxford University researchers Vincent Taylor, Alastair Beresford and Ivan Martinovic, is that the Android device itself can be compromised and the user’s data stolen. They call this kind of attack intra-library collusion (ILC) and describe it this way in a paper they published on August 11:

This attack occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data. The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device.

The researchers say they used a dataset of more than 30,000 smartphones and found that many popular third-party libraries have the potential to aggregate significant sensitive data from devices by using intra-library collusion. Several popular libraries already collect enough data to facilitate this attack, they wrote, adding:

Individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted.

They also analyzed 15,000 popular apps (those with more than a million downloads each). Among other things, they found that the .com/facebook library was most popular – used in 11.9% of the apps they reviewed. Libraries for Google Analytics (9.8 %) and Flurry (6.3 %) were widespread as well.

Also see: SophosLabs report examines Top 10 Android malware

They also found that in general, advertiser libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day.”

Who benefits?

One question the researchers sought to answer was who would benefit from exploiting libraries and apps this way. The answer, they believe, is the advertising and analytics industry. They wrote:
Given the guile shown by ad libraries and ad networks in general, we believe that this may be a very attractive attack, especially considering that it would be hard to prove that it was happening. Given the fierce competition in the advertising and analytics space, any additional signals about users that can be leveraged from data that is already being collected can improve an ad network’s Intra-Library Collusion.
Even if this improvement is a small one, when translated to the app ecosystem of millions of apps and billions of devices, ILC has the potential to generate (or is already generating) a windfall for ad networks.

What to do?

The ultimate question is how to protect oneself from this threat. The researchers admitted there are no easy answers. Simply revoking privileges won’t solve the problem because advertisers will have more trouble targeting ads, making them less likely to use libraries. App developers also stand to lose revenue, making it highly unlikely they’d do such a thing.

Governments could also enact legislation to force ethical behavior, or major app providers could sharpen their developer policies. But those are limited options because, as the researchers noted, the bad guys work around the rules as a matter of routine.

Our advice, for now: when you download an app and it seeks permission to access certain phone features and libraries, think hard about whether it’s an app you truly need.

Also, the continued presence of malicious Android apps demonstrates the need to use Android antimalware such as our free Sophos Mobile Security for Android.

By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.

In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, whether it’s intra-library collusion or something else. But they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:

  • Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
  • Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
  • Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?