Home » R&I Project Hub » CyberSANE » Project White Papers » Android Collusion: Detecting Malicious Applications Inter-Communication through SharedPreferences

Android Collusion: Detecting Malicious Applications Inter-Communication through SharedPreferences


Rosangela Casolare, Fabio Martinelli, Francesco Mercaldo, Antonella Santone


MDPI - Information - Special Issue New Frontiers in Android Malware Analysis and Detection



The Android platform is currently targeted by malicious writers, continuously focused on the development of new types of attacks to extract sensitive and private information from our mobile devices. In this landscape, one recent trend is represented by the collusion attack. In a nutshell this attack requires that two or more applications are installed to perpetrate the malicious behaviour that is split in more than one single application: for this reason anti-malware are not able to detect this attack, considering that they analyze just one application at a time and that the single colluding application does not exhibit any malicious action. In this paper an approach exploiting model checking is proposed to automatically detect whether two applications exhibit the ability to perform a collusion through the SharedPreferences communication mechanism. We formulate a series of temporal logic formulae to detect the collusion attack from a model obtained by automatically selecting the classes candidate for the collusion, obtained by two heuristics we propose. Experimental results demonstrate that the proposed approach is promising in collusion application detection: as a matter of fact an accuracy equal to 0.99 is obtained by evaluating 993 Android applications.

Publication Date: