Skip to main content
SpringerLink
Log in

Picker Blinder: a framework for automatic injection of malicious inter-app communication

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Malware writers, with the aim to elude the current detection mechanism implemented by commercial and free anti-malware, are finding new ways to develop new aggressive attack paradigms. Current anti-malware basically suffer about the following limitations: the first one is that they are not able to detect zero-day malware: as a matter of fact, to mark an application as malware they need to know the malicious payload signature. With regard to the second limitation, they are able to scan only one application at a time: this is the reason why a type of malware characterized by the colluding attack, where the malicious behaviour is divided between several applications, can never be detected. To demonstrate the ineffectiveness of current anti-malware in detecting colluding attacks, in this paper we design a method aimed to automatically inject a malicious payload in two or more different Android applications. We implemented the proposed method into a framework that we called Picker Blinder. In a nutshell, Picker Blinder is able to inject a collusive malicious payload exploiting two different channels (i.e., SharedPreferences and Sockets), allowing the attacker to catch sensitive and private information stored into the infected device. We perform an experimental analysis by submitting 398 colluding applications to different 79 anti-malware, by showing that current detection mechanisms are not able to detect this kind of threat.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. https://developer.android.com/training/data-storage/shared-preferences

  2. https://developer.android.com/reference/packages

  3. https://developer.android.com/guide/topics/permissions/overview

  4. https://developer.android.com/guide/topics/manifest/manifest-intro

  5. https://developer.android.com/reference/android/app/Activity

  6. https://source.android.com/security/app-sandbox

  7. https://github.com/StefanoFagnano/PickerBlinder

  8. https://www.virustotal.com/gui/home/upload

  9. https://virusscan.jotti.org/it

References

  1. Abro, F.I., Rajarajan, M., Chen, T.M., Rahulamathavan, Y.: Android application collusion demystified. In: International Conference on Future Network Systems and Security, pp. 176–187. Springer (2017)

  2. Bacci, A., Bartoli, A., Martinelli, F., Medvet, E., Mercaldo, F., Visaggio, C.A.: Impact of code obfuscation on android malware detection based on static and dynamic analysis. In: ICISSP, pp. 379–385 (2018)

  3. Bada, M., Boubiche, D.E., Lagraa, N., Kerrache, C.A., Imran, M., Shoaib, M.: A policy-based solution for the detection of colluding gps-spoofing attacks in Fanets. Transp. Res. Part A: Policy Pract. 149, 300–318 (2021)

    Google Scholar 

  4. Bao, F.: Colluding attacks to a payment protocol and two signature exchange schemes. In: International Conference on the Theory and Application of Cryptology and Information Security, pp. 417–429. Springer (2004)

  5. Blasco, J., Chen, T.M.: Automated generation of colluding apps for experimental research. J. Comput. Virol. Hacking Tech. 14(2), 127–138 (2018)

    Article  Google Scholar 

  6. Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 318–326. IEEE (2015)

  7. Canfora, G., Mercaldo, F., Visaggio, C.A., D’Angelo, M., Furno, A., Manganelli, C.: A case study of automating user experience-oriented performance testing on smartphones. In: 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation, pp. 66–69. IEEE (2013)

  8. Casolare, R., Ciaramella, G., Martinelli, F., Mercaldo, F., Santone, A.: Steælergon: A framework for injecting colluding malicious payload in android applications. In: The 16th International Conference on Availability, Reliability and Security, pp. 1–7 (2021)

  9. Casolare, R., Lacava, G., Martinelli, F., Mercaldo, F., Russodivito, M., Santone, A.: 2faces: A new model of malware based on dynamic compiling and reflection. Computer Virology and Hacking Techniques (2021) (to appear)

  10. Casolare, R., Martinelli, F., Mercaldo, F., Santone, A.: A model checking based proposal for mobile colluding attack detection. In: 2019 IEEE International Conference on Big Data (Big Data), pp. 5998–6000. IEEE (2019)

  11. Casolare, R., Martinelli, F., Mercaldo, F., Santone, A.: Malicious collusion detection in mobile environment by means of model checking. In: 2020 International Joint Conference on Neural Networks (IJCNN), pp. 1–6. IEEE (2020)

  12. Cimitile, A., Martinelli, F., Mercaldo, F.: Machine learning meets ios malware: Identifying malicious applications on apple environment. In: ICISSP, pp. 487–492 (2017)

  13. Ferrante, A., Medvet, E., Mercaldo, F., Milosevic, J., Visaggio, C.A.: Spotting the malicious moment: Characterizing malware behavior using dynamic features. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 372–381. IEEE (2016)

  14. Huang, P., He, P., Tian, S., Ma, M., Feng, P., Xiao, H., Mercaldo, F., Santone, A., Qin, J.: A vit-amc network with adaptive model fusion and multiobjective optimization for interpretable laryngeal tumor grading from histopathological images. IEEE Trans. Med. Imag. 42(1), 15–28 (2022)

    Article  Google Scholar 

  15. Huang, P., Tan, X., Zhou, X., Liu, S., Mercaldo, F., Santone, A.: Fabnet: fusion attention block and transfer learning for laryngeal cancer tumor grading in p63 ihc histopathology images. IEEE J. Biomed. Health Inform. 26(4), 1696–1707 (2021)

    Article  Google Scholar 

  16. Huang, P., Zhou, X., He, P., Feng, P., Tian, S., Sun, Y., Mercaldo, F., Santone, A., Qin, J., Xiao, H.: Interpretable laryngeal tumor grading of histopathological images via depth domain adaptive network with integration gradient cam and priori experience-guided attention. Comput. Biol. Med. 154, 106447 (2023)

  17. Kamhoua, G.A., Pissinou, N., Iyengar, S., Beltran, J., Kamhoua, C., Hernandez, B.L., Njilla, L., Makki, A.P.: Preventing colluding identity clone attacks in online social networks. In: 2017 IEEE 37th International Conference on Distributed Computing Systems Workshops (ICDCSW), pp. 187–192. IEEE (2017)

  18. Khalil, I.: Mcc: mitigating colluding collision attacks in wireless sensor networks. In: 2010 IEEE Global Telecommunications Conference GLOBECOM 2010, pp. 1–5. IEEE (2010)

  19. Li, L., Bartel, A., Bissyandé, T.F., Klein, J., Le Traon, Y.: Apkcombiner: combining multiple android apps to support inter-app analysis. In: IFIP International Information Security and Privacy Conference, pp. 513–527. Springer (2015)

  20. Zarni Aung, W.Z.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)

    Google Scholar 

Download references

Acknowledgements

This work has been partially supported by EU DUCA, EU CyberSecPro, SYNAPSE, PTR 22-24 P2.01 (Cybersecurity) and SERICS (PE00000014) under the MUR National Recovery and Resilience Plan funded by the EU - NextGenerationEU projects.

Author information

Authors and Affiliations

  1. Department of Biosciences and Territory, University of Molise, Pesche, IS, Italy

    Rosangela Casolare

  2. Istituto di Informatica e Telematica, Consiglio Nazionale delle Ricerche, Pisa, Italy

    Stefano Fagnano, Giacomo Iadarola, Fabio Martinelli & Francesco Mercaldo

  3. Department of Medicine and Health Sciences “Vincenzo Tiberio”, University of Molise, Campobasso, Italy

    Antonella Santone

Authors
  1. Rosangela Casolare
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefano Fagnano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giacomo Iadarola
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Francesco Mercaldo
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Antonella Santone
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Francesco Mercaldo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix: Malicious payload

Appendix: Malicious payload

figure h
figure i

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Casolare, R., Fagnano, S., Iadarola, G. et al. Picker Blinder: a framework for automatic injection of malicious inter-app communication. J Comput Virol Hack Tech 20, 331–346 (2024). https://doi.org/10.1007/s11416-023-00510-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-023-00510-0

Keywords

Search

Navigation