# Detection of App Collusion Potential Using Logic Programming

**Authors:** Jorge Blasco, Thomas M. Chen, Igor Muttik, Markus Roggenbach

arXiv: 1706.02387 · 2017-06-09

## TL;DR

This paper introduces a logic programming-based method to detect potential app collusion in Android, effectively filtering large datasets to identify suspicious app sets for further analysis.

## Contribution

The paper presents a novel filtering approach using first-order logic in Prolog to efficiently identify potential colluding app sets in large-scale Android datasets.

## Key findings

- Successfully detected colluding apps in a dataset of over 50,000 apps.
- Identified real-world apps using collusion to synchronize malicious payloads.
- Validated the approach against manually crafted colluding apps.

## Abstract

Android is designed with a number of built-in security features such as app sandboxing and permission-based access controls. Android supports multiple communication methods for apps to cooperate. This creates a security risk of app collusion. For instance, a sandboxed app with permission to access sensitive data might leak that data to another sandboxed app with access to the internet. In this paper, we present a method to detect potential collusion between apps. First, we extract from apps all information about their accesses to protected resources and communications. Then we identify sets of apps that might be colluding by using rules in first order logic codified in Prolog. After these, more computationally demanding approaches like taint analysis can focus on the identified sets that show collusion potential. This "filtering" approach is validated against a dataset of manually crafted colluding apps. We also demonstrate that our tool scales by running it on a set of more than 50,000 apps collected in the wild. Our tool allowed us to detect a large set of real apps that used collusion as a synchronization method to maximize the effects of a payload that was injected into all of them via the same SDK.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1706.02387/full.md

## Figures

11 figures with captions in the complete paper: https://tomesphere.com/paper/1706.02387/full.md

## References

26 references — full list in the complete paper: https://tomesphere.com/paper/1706.02387/full.md

---
Source: https://tomesphere.com/paper/1706.02387