AppHolmes: Detecting and Characterizing App Collusion among Third-Party Android Markets

Background activities on smartphones are essential to today's "always-on" mobile device experience. Yet, there lacks a clear understanding of the cooperative behaviors among background activities as well as a quantification of the consequences. In this paper, we present the first in-depth study of app collusion, in which one app surreptitiously launches others in the background without user's awareness. To enable the study, we develop AppHolmes, a static analysis tool for detecting app collusion by examining the app binaries. By analyzing 10,000 apps from top third-party app markets, we found that i) covert, cooperative behaviors in background app launch are surprisingly pervasive, ii) most collusion is caused by shared services, libraries, or common interest among apps, and iii) collusion has serious impact on performance, efficiency, and security. Overall, our work presents a strong implication on future mobile system design.

[1]  Aaron Tomb,et al.  Multi-App Security Analysis with FUSE: Statically Detecting Android App Collusion , 2014, PPREW-4.

[2]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[3]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[4]  Matthew L. Dering,et al.  Composite Constant Propagation: Application to Android Inter-Component Communication Analysis , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[5]  Jacques Klein,et al.  Automatically Exploiting Potential Component Leaks in Android Applications , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[6]  Dilip Krishnaswamy,et al.  MobInsight: On Improving The Performance of Mobile Apps in Cellular Networks , 2015, WWW.

[7]  Justin Cappos,et al.  Selectively Taming Background Android Apps to Improve Battery Lifetime , 2015, USENIX Annual Technical Conference.

[8]  Jacques Klein,et al.  Combining static analysis with probabilistic models to enable market-scale Android inter-component analysis , 2016, POPL.

[9]  Jacques Klein,et al.  Effective Inter-Component Communication Mapping in Android: An Essential Step Towards Holistic Security Analysis , 2013, USENIX Security Symposium.

[10]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[11]  Guoliang Xing,et al.  Reducing Smartphone Application Delay through Read/Write Isolation , 2015, MobiSys.

[12]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[13]  Jacques Klein,et al.  Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis , 2013 .

[14]  References , 1971 .

[15]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[16]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[17]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[18]  Dan Boneh,et al.  Who killed my battery?: analyzing mobile browser energy consumption , 2012, WWW.

[19]  Kaigui Bian,et al.  Characterizing Smartphone Usage Patterns from Millions of Android Users , 2015, Internet Measurement Conference.

[20]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[21]  Huan Luo,et al.  Which Android App Store Can Be Trusted in China? , 2014, 2014 IEEE 38th Annual Computer Software and Applications Conference.

[22]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[23]  Ning Ding,et al.  Smartphone Energy Drain in the Wild , 2015, SIGMETRICS.

[24]  Pern Hui Chia,et al.  Is this app safe?: a large scale study on application permissions and risk signals , 2012, WWW.

[25]  M. Jacomy,et al.  ForceAtlas2, a Continuous Graph Layout Algorithm for Handy Network Visualization Designed for the Gephi Software , 2014, PloS one.

[26]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.