Rosangela Casolare, Fabio Martinelli, Francesco Mercaldo, Antonella Santone
Everyday born a new cyberattack and among these an emerging attack is represent by the so-called colluding. The application collusion attack is a new form of threat that is becoming widespread in mobile environment, especially in Android platform. This technique requires that two or more apps cooperate in some way with the aim to perform a malicious action that they are unable to perform independently. Detecting colluding apps is challenging problem, because currently there are no effective tools due to the search space of all possible combination of apps. In this paper we present a method exploiting model checking technique with the aim to detect a collusion attack between two applications. The method uses a heuristic function able to reduce the number of the analyzed apps and to localize the collusion attack. This heuristic function is based on the study of execution flow of an application, to identify the execution flow and verify it. The proposed algorithm verify if there is a flow of sensitive data that ends up in a shared resource and if this happens the app could be marked as potentially collusive, otherwise it is possible to exclude the app from the analysis, in order to reduce the number of apps to be analyzed. Experimental results on a data-set of Android applications show promising performances in colluding mobile app detection.