Wild Android Collusions

Wednesday 5 October 11:30 - 12:00, Red room

Prof. Igor Muttik (Intel Security)
Jorge Blasco (London City University)

In this paper, we describe, analyse and demonstrate how a set of Android apps can, when working together, break the current Android security model. Sadly, Android OS does not have good mechanisms to prevent apps' cooperation for malicious purposes. Such a set of apps may perform actions beyond the limitations set by the OS. Colluding apps create a problem both for users' privacy and their security. Unfortunately, these capabilities can easily go unnoticed because apps are typically analysed individually.

We discovered that app collusion had actually been going on in the field for quite a long time and without being detected - in a large group of applications which use the MoPlus SDK. This SDK has been known to be risky and potentially harmful since November 2015 – it opens a local HTTP server on the user device which enables a C&C operator to perform operations like sending arbitrary intents, obtaining sensitive user information and silently installing apps in rooted devices.

We divulge how different MoPlus-based apps running on the same device talk to each other to determine which one has the highest privileges (the most permissions). This app alone will execute the local HTTP server and receive commands from the C&C server. This is a clear and deliberate violation of the Android OS rules. The MoPlus SDK is known to be included in more than 1,000 applications, including apps that have not been developed by Baidu (the original developer of the SDK). We will explain the colluding behaviour of the MoPlus SDK in detail and how the versions of the SDK have evolved over time.

This important discovery is the first known case of malicious app collusion in the wild. It demonstrates significant risk of using third-party code — ad libraries and external SDKs  especially when they are closed-source or not fully trusted. The problem is not specific to Android, and we will discuss avenues of introducing collusions into susceptible platforms, and talk about mitigations.

Click here for more details about the conference.


Prof. Igor Muttik

Prof. Igor Muttik (PhD) started researching computer malware in the 1980s when the anti-virus industry was in its infancy. He is based in the UK and worked as a virus researcher for Dr. Solomon’s Software. From 1998 he ran McAfee's malware research in EMEA and switched to his architectural role in 2002. He takes particular interest in applied security research and design of new security software and hardware. Igor holds a Ph.D. degree in physics and mathematics from the Moscow University. He is a regular speaker at major international security conferences and is a co-author of three books, more than 100 publications and more than 25 patents. Igor has worked for Intel Corporation since McAfee was acquired in 2011.


 Jorge Blasco

Dr. Jorge Blasco obtained his Ph.D. from University Carlos III of Madrid in 2012. His dissertation was focused in the field of information security and insider threats. He is an active Android and iOS app developer with several apps being available in both OS official markets, related to steganography. After obtaining his Ph.D., Jorge worked as an assistant lecturer in University Carlos III of Madrid. In 2014, he moved to City University London, where he works now as a research fellow in a project about application collusion. His main research interests include mobile malware, steganography and covert channels. He has published several research papers in international conferences and journals.


Markus Roggenbach

Markus Roggenbach is Professor of Computer Science at Swansea University. He is an internationally recognised expert in Formal Methods, especially on semantics, methodology, tools, and formal testing. He is chair of the IFIP WG 1.3 "Foundations of System Specification".  He has significant experience of technology transfer through regular co-operations with industry, including Siemens, Rolls-Royce and Intel Security.