Android users know the routine: download an app and a box appears asking for permission to talk to other apps. Knowing that the app needs that access to work properly, the user clicks “OK” without a second thought. But what happens when one app abuses that access to tamper with another?
The answer, according to Oxford University researchers Vincent Taylor, Alastair Beresford and Ivan Martinovic, is that the Android device itself can be compromised and the user’s data stolen. They call this kind of attack intra-library collusion (ILC) and describe it this way in a paper they published on August 11:
This attack occurs when a single library embedded in more than one app on a device leverages the combined set of permissions available to it to pilfer sensitive user data. The possibility for intra-library collusion exists because libraries obtain the same privileges as their host app and popular libraries will likely be used by more than one app on a device.
The researchers say they used a dataset of more than 30,000 smartphones and found that many popular third-party libraries have the potential to aggregate significant sensitive data from devices by using intra-library collusion. Several popular libraries already collect enough data to facilitate this attack, they wrote, adding:
Individual libraries obtain greater combined privileges on a device by virtue of being embedded within multiple apps, with each app having a distinct set of permissions granted.
They also analyzed 15,000 popular apps (those with more than a million downloads each). Among other things, they found that the .com/facebook library was most popular – used in 11.9% of the apps they reviewed. Libraries for Google Analytics (9.8 %) and Flurry (6.3 %) were widespread as well.
Also see: SophosLabs report examines Top 10 Android malware
They also found that in general, advertiser libraries “leak sensitive data from a device up to 2.4 times a day and that the average user has their personal data sent to 1.7 different ad servers per day.”
Given the guile shown by ad libraries and ad networks in general, we believe that this may be a very attractive attack, especially considering that it would be hard to prove that it was happening. Given the fierce competition in the advertising and analytics space, any additional signals about users that can be leveraged from data that is already being collected can improve an ad network’s Intra-Library Collusion.Even if this improvement is a small one, when translated to the app ecosystem of millions of apps and billions of devices, ILC has the potential to generate (or is already generating) a windfall for ad networks.
What to do?
The ultimate question is how to protect oneself from this threat. The researchers admitted there are no easy answers. Simply revoking privileges won’t solve the problem because advertisers will have more trouble targeting ads, making them less likely to use libraries. App developers also stand to lose revenue, making it highly unlikely they’d do such a thing.
Governments could also enact legislation to force ethical behavior, or major app providers could sharpen their developer policies. But those are limited options because, as the researchers noted, the bad guys work around the rules as a matter of routine.
Our advice, for now: when you download an app and it seeks permission to access certain phone features and libraries, think hard about whether it’s an app you truly need.
Also, the continued presence of malicious Android apps demonstrates the need to use Android antimalware such as our free Sophos Mobile Security for Android.
By blocking the install of malicious and unwanted apps, even if they come from Google Play, you can spare yourself lots of trouble.
In the bigger picture, the average Android user isn’t going to know what techniques the malware used to reach their device’s doorstep, whether it’s intra-library collusion or something else. But they can do much to keep it from getting in – especially when it comes to the apps they choose. To that end, here’s some more general advice:
- Stick to Google Play. It isn’t perfect, but Google does put plenty of effort into preventing malware arriving in the first place, or purging it from the Play Store if it shows up. In contrast, many alternative markets are little more than a free-for-all where app creators can upload anything they want, and frequently do.
- Avoid apps with a low reputation. If no one knows anything about a new app yet, don’t install it on a work phone, because your IT department won’t thank you if something goes wrong.
- Patch early, patch often. When buying a new phone model, check the vendor’s attitude to updates and the speed that patches arrive. Why not put “faster, more effective patching” on your list of desirable features, alongside or ahead of hardware advances such as “better camera” and “higher-res screen”?
4 comments on “How shared Android libraries could be weaponized for data theft”
What to do? Don’t use Android. Duh.
Spot-on, Billy. Yep it’s literally impossible to get malware on an Apple product.
“God himself could not crack this OS.”
Some devices do not work without these apps that require a lot of permissions(you just bought a device, now, what do you do?).
As an example, the armada of Chinese apps that are on the Play Store.
To give a more specific example, the Xiaomi apps and the associated companies(bulbs, wearables that come from different companies but under the Xiaomi brand).
To be even more specific, let’s take “Mi Fit”.
The Xiaomi Band syncs through bluetooth and the app needs to display how many steps you have done and when, that’s all that it needs to do. If you look at the permissions, you see things like:
– retrieve running apps
– directly call phone numbers
– read the contents of your USB storage
– modify or delete the contents of your USB storage
– take pictures and videos
– full network access
– run at startup
– prevent device from sleeping
– modify system settings
– read Google service configuration
If you are running Android 6.0 or later, you can revoke those app permissions after the app is installed. On my phone that is via settings (settings > apps > Application list > “app name” > Permissions.
If you revoke a permission from an app, you will get a dire warning from the system to say that the app might go wrong, but I find that in most cases the apps continue to work with reduced functionally when you remove their permission to access stuff so long as you apply common sense. For example, if you revoke access to the camera, you won’t be able to take pictures and post them from within your socal media app. Also most apps that want access to the filesystem need it to store settings an cache data, so you should not revoke that access.
For example the LinkedIn app wants access to my calendar, contacts and location, but I revoked those permissions, (so it can’t spam my freinds), but it still works just fine.