# Detecting Colluding Inter-App Communication in Mobile Environment

^{1}

^{2}

^{3}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

- -
- with the SharedPreferences, it is possible to store key–value pairs of data, configuration, and preferences. So an application can save some settings (containing data information) into a shared preference file, which could be read by the receiving application;
- -
- with the ExternalStorage, we consider the ability to store the information in a file. In this case, for example, an application can read data and send them to a second application via an intent. The second application, using the external storage, can send the data though an external network (for instance, Internet);
- -
- with the BroadcastReceiver, it is possible to be notified of an event occurrence at the system level (e.g., receiving an SMS). It is useful for the instant management of special events. Broadcast receivers respond to broadcast messages sent using Intent objects, which can come from the same application or from others applications installed on the device. So, with this component, it is possible to have applications that receive data both via broadcast receivers and SMS messages [10];
- -
- with the RPC, it is possible for an Android application to call a method to execute in a different address space (typically on another Android application), which is coded as if it were a normal (i.e., local) procedure call, without the developer explicitly coding the implementations for the remote interaction: the developer writes the same code whether the subroutine is local to the executing application or remote. Android provides several distinctive components, for instance, Activity and Service, which are able to perform this kind of communication by also sharing data between these components. In this attack, the collusion happens when an Android component (for instance an Activity) starts a component in another application (by invoking a Service in the second application) by also sharing data between the Activity and the Service components.

- -
- in this paper, we consider the detection of four colluding attacks (i.e., SharedPreferences, ExternalStorage, BroadcastReceiver, and RPC) whereas the work in [18] focused only on the SharedPreferences colluding attack. This represents the main contribution of the work and, at the best of knowledge authors, this is the first contribution devoted to the detection of these four different harmful colluding attacks;
- -
- we propose an algorithm for the automatic detection of collusion. The authors in [18] propose a set of manually designed properties for the detection of SharedPreferences collusion. In this work, we propose an algorithm for the automatic generation of properties for the detection of whether two or more applications are performing a colluding attack through SharedPreferences, ExternalStorage, BroadcastReceiver, or RPC;
- -
- the proposed method can also detect colluding attacks performed by more than two applications, whereas the method in [18] can detect collusion between only two applications. This is important, as colluding attacks are usually perpetrated by more than two applications [16,19] in order to have more chances to activate the malicious behavior;
- -
- we developed and evaluated 20 (10 aimed to send data and the remaining 10 for data receiving) Android applications performing a colluding attack by exploiting the RPC communication channel;
- -
- we experimented with an extended set of colluding and not-colluding Android applications to evaluate the proposed method, also taking into account the colluding applications aimed to share information by exploiting ExternalStorage, BroadcastReceiver, and RPC, and we obtain better performance-related results as compared to [18], where an accuracy equal to 0.99 is obtained; our proposed method reaches an accuracy equal to 1.

## 2. Model Checking Background

**Done**rule, shown in (2) in Table 1, the process can perform $\delta $ and then reaches a deadlocked state.

**Act**rule, shown in (3) in Table 1, the process $\alpha .p$ can perform the action $\alpha $ to become the process p.

**Seq${}_{1}$**and

**Seq${}_{2}$**rules represent the sequentialization of two processes, as shown in (4) and (5) in Table 1. The q process can start its execution only when the p process has terminated its execution by performing the $\delta $ action.

**Sum**rule, shown in (6) in Table 1, states that p and q are alternative choices for the behavior of $p+q$. The operator ∥ expresses the parallel execution. The

**Par**rule, shown in (7) in Table 1, shows how processes in a parallel composition can behave autonomously: if the process p performs $\alpha $ and becomes ${p}^{\prime}$, then $p\parallel q$ performs $\alpha $ and becomes ${p}^{\prime}\parallel q$ (similarly for q). When

**Com${}_{1}$**and

**Com${}_{2}$**rules (shown in (8) and (9) in Table 1) is used, we say that a handshake occurs. A handshake occurs only if two processes can simultaneously execute the complementary actions; the handshake results in an internal communication (the action $\tau $). When both possesses p and q have terminated their execution, the $p\parallel q$ process becomes $DONE$. The operator $\backslash L$, in the

**Res**rule (shown in (9) in Table 1), prevents actions in ${L}^{+}$ to be done: if p can perform $\alpha $ to become ${p}^{\prime}$, then $p\backslash L$ can perform $\alpha $ to become ${p}^{\prime}\backslash L$ only if $\alpha \notin {L}^{+}$. In the

**Rel**rule, the operator $\left[f\right]$ renames actions by means of the relabeling function f: if p can perform $\alpha $ to become ${p}^{\prime}$, then $p\left[f\right]$ can perform $f\left(\alpha \right)$ to become ${p}^{\prime}\left[f\right]$. Finally, a constant x behaves as p if $x\underset{}{\overset{\mathrm{def}}{=}}p$ as stated in the rule

**Con**, (shown in (12) in Table 1). Roughly speaking, the

**Con**rule states that a process behaves like its definition.

- -
- -
- a state satisfies ${\varphi}_{1}\vee {\varphi}_{2}$ (${\varphi}_{1}\wedge {\varphi}_{2}$) if it satisfies ${\varphi}_{1}$ or (and) ${\varphi}_{2}$ (as shown by (15) in Table 2).
- -
- ${\left[K\right]}_{}\varphi $ and ${\langle K\rangle}_{}\varphi $ are the modal operators (as shown by (17) and (18) in Table 2): ${\left[K\right]}_{}\varphi $ is satisfied by a state, which, for every performance of an action in K, evolves in a state obeying $\varphi $; while ${\langle K\rangle}_{}\varphi $ is satisfied by a state, which can evolve to a state obeying $\varphi $ by performing an action in K.

## 3. Colluding Inter-App Communication Detection

Listing 1. CCS process for Listing 1. | ||

proc P1 | = | store .M2 |

proc P2 | = | load .M3 |

proc P3 | = | return . nil |

Listing 2. CCS process for Listing 2. | ||

proc P1 | = | dup .M2 |

proc P2 | = | invokesubstring .M3 |

proc P3 | = | pushConstant .M4 |

proc P4 | = | newStringBuilder .M5 |

proc P5 | = | invokeinit .M6 |

proc P6 | = | pop .M7 |

proc P7 | = | return . nil |

- -
- when an application executes a PUT action on a shared resource, the formula (Table 3—$Formula\_SP\_PUT$) results true if the following actions are performed: invokegetSharedPreferences, invokeedit, invokeputString/invokeputInt/invokeputFloat, and invokecommit;
- -
- when instead an application executes a GET action on a shared resource, the formula (Table 3—$Formula\_SP\_GET$) results true if the following actions are performed: invokegetSharedPreferences, invokegetString/invokegetInt/invokegetFloat.

- -
- when an application executes a PUT action on a shared resource, the formula (Table 4—$Formula\_ES\_PUT$) results true if the following actions are performed: invokegetExternalStorageDirectory and invokewrite;
- -
- when instead an application executes a GET action on a shared resource, the formula (Table 4—$Formula\_ES\_GET$) results true if the following actions are performed: invokegetExternalStorageDirectory and invokereadFully.

- -
- when an application executes a PUT action on a shared resource, the formula (Table 5—$Formula\_BR\_PUT$) results true if the following actions are performed: invokeputExtra, invokesendBroadcast;
- -
- when instead an application executes a GET action on a shared resource, the formula (Table 5—$Formula\_BR\_GET$) results true if the following actions are performed: invokegetStringExtra, invokestart.

- -
- when an application executes a PUT action on a Remote Procedure Call (RPC) channel, the formula (Table 6—$Formula\_RPC\_PUT$) results true if the following actions are performed: invokeputExtra, invokestartService;
- -
- when instead an application executes a GET action on a RPC channel, the formula (Table 6—$Formula\_RPC\_GET$) results true if the following actions are performed: invokegetStringExtra and invokevirtual.

Listing 3. CCS process for Listing 3. | ||

proc M1 | = | invokeinit .M2 |

proc M2 | = | invokegetExternalStorage .M3 |

proc M3 | = | pushConstant1 .M4 |

proc M4 | = | store .M5 |

proc M5 | = | pushConstant2 .M6 |

proc M6 | = | load .M7 |

proc M7 | = | pushConstant3 .M8 |

proc M8 | = | invokewrite .M9 |

proc M9 | = | return . nil |

Listing 4. CCS process for Listing 4. | ||

proc M1 | = | t .M2 |

proc M2 | = | invokegetExternalStorage .M3 |

proc M3 | = | pushConstant1 .M4 |

proc M4 | = | t .M5 |

proc M5 | = | pushConstant2 .M6 |

proc M6 | = | t .M7 |

proc M7 | = | pushConstant3 .M8 |

proc M8 | = | t .M9 |

proc M9 | = | t . nil |

- -
- with regard to the SharedPreferences, we consider the $invokegetSharedPreferences$ and the push under analysis;
- -
- with regard to the ExternalStorage, we consider the $invokegetExternalStorage$ and the push under analysis;
- -
- with regard to the BroadcastReceiver, we consider the $invokeputExtra$, $invokeSendBoradcast$ (for the PUT property), $invokeStringExtra$, and $invokeStart$ (for the GET property);
- -
- with regard to the RemoteProcedureCall, we consider the $invokeputExtra$, $invokestartService$ (for the PUT property), $invokegetStringExtra$, and $invokevirtual$ (for the GET property).

## 4. Experimental Analysis

#### 4.1. The Real-World Android Data-Set

#### 4.2. Results

## 5. State-Of-The-Art Literature

- -
- the covert storage channel hides the secret information in the data transmission protocol and achieves covert communication using payload or non-payload fields:
- -
- the covert timing channel encodes the secret information and achieves the covert communication using the time gap between packets.

## 6. Conclusions and Future Work

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Enck, W.; Gilbert, P.; Han, S.; Tendulkar, V.; Chun, B.G.; Cox, L.P.; Jung, J.; McDaniel, P.; Sheth, A.N. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS)
**2014**, 32, 1–29. [Google Scholar] [CrossRef] - Arabo, A.; Pranggono, B. Mobile malware and smart device security: Trends, challenges and solutions. In Proceedings of the 2013 19th International Conference on Control Systems and Computer Science, Bucharest, Romania, 29–31 May 2013; IEEE: New York, NY, USA, 2013; pp. 526–531. [Google Scholar]
- Enck, W. Defending users against smartphone apps: Techniques and future directions. In Proceedings of the International Conference on Information Systems Security, 15–19 December 2011, Kolkata, India; Springer: Berlin/Heidelberg, Germany, 2011; pp. 49–70. [Google Scholar]
- Arabo, A.; Brown, I.; El-Moussa, F. Privacy in the age of mobility and smart devices in smart homes. In Proceedings of the 2012 International Conference on Privacy, Security, Risk and Trust and 2012 International Confernece on Social Computing, Amsterdam, The Netherlands, 3–5 September 2012; IEEE: New York, NY, USA, 2012; pp. 819–826. [Google Scholar]
- Nguyen, T.; Mcdonald, J.; Glisson, W.; Andel, T. Detecting Repackaged Android Applications Using Perceptual Hashing. In Proceedings of the 53rd Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2020. [Google Scholar]
- Cimitile, A.; Mercaldo, F.; Nardone, V.; Santone, A.; Visaggio, C.A. Talos: No more ransomware victims with formal methods. Int. J. Inf. Secur.
**2018**, 17, 719–738. [Google Scholar] [CrossRef] - Canfora, G.; Martinelli, F.; Mercaldo, F.; Nardone, V.; Santone, A.; Visaggio, C.A. Leila: Formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng.
**2018**, 45, 1230–1252. [Google Scholar] [CrossRef] - Mercaldo, F.; Visaggio, C.A.; Canfora, G.; Cimitile, A. Mobile malware detection in the real world. In Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C), Austin, TX, USA, 14–22 May 2016; IEEE: New York, NY, USA, 2016; pp. 744–746. [Google Scholar]
- Cimino, M.G.; De Francesco, N.; Mercaldo, F.; Santone, A.; Vaglini, G. Model checking for malicious family detection and phylogenetic analysis in mobile environment. Comput. Secur.
**2020**, 90, 101691. [Google Scholar] [CrossRef] - Blasco, J.; Chen, T.M. Automated generation of colluding apps for experimental research. J. Comput. Virol. Hacking Tech.
**2018**, 14, 127–138. [Google Scholar] [CrossRef][Green Version] - Xu, K.; Li, Y.; Deng, R.H. Iccdetector: Icc-based malware detection on android. IEEE Trans. Inf. Forensics Secur.
**2016**, 11, 1252–1264. [Google Scholar] [CrossRef] - Marforio, C.; Ritzdorf, H.; Francillon, A.; Capkun, S. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Annual Computer Security Applications Conference, Orlando, FL, USA, 3–7 December 2012; pp. 51–60. [Google Scholar]
- Casolare, R.; Martinelli, F.; Mercaldo, F.; Santone, A. A Model Checking based Proposal for Mobile Colluding Attack Detection. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019; IEEE: New York, NY, USA, 2019; pp. 5998–6000. [Google Scholar]
- Feng, H.; Shin, K.G. Understanding and defending the Binder attack surface in Android. In Proceedings of the 32nd Annual Conference on Computer Security Applications, Los Angeles, CA, USA, 5–9 December 2016; pp. 398–409. [Google Scholar]
- Gajrani, J.; Agarwal, U.; Laxmi, V.; Bezawada, B.; Gaur, M.S.; Tripathi, M.; Zemmari, A. EspyDroid+: Precise reflection analysis of android apps. Comput. Secur.
**2020**, 90, 101688. [Google Scholar] [CrossRef] - Memon, A.M.; Anwar, A. Colluding apps: Tomorrow’s mobile malware threat. IEEE Secur. Priv.
**2015**, 13, 77–81. [Google Scholar] [CrossRef] - Bosu, A.; Liu, F.; Yao, D.; Wang, G. Collusive data leak and more: Large-scale threat analysis of inter-app communications. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, Abu Dhabi, UAE, 2–6 April 2017; pp. 71–85. [Google Scholar]
- Casolare, R.; Martinelli, F.; Mercaldo, F.; Santone, A. Android Collusion: Detecting Malicious Applications Inter-Communication through SharedPreferences. Information
**2020**, 11, 304. [Google Scholar] [CrossRef] - Asavoae, I.M.; Blasco, J.; Chen, T.M.; Kalutarage, H.K.; Muttik, I.; Nguyen, H.N.; Roggenbach, M.; Shaikh, S.A. Towards automated android app collusion detection. arXiv
**2016**, arXiv:1603.02308. [Google Scholar] - Milner, R. Communication and Concurrency; PHI Series in Computer Science; Prentice Hall: Upper Saddle River, NJ, USA, 1989; pp. 1–11. [Google Scholar]
- Stirling, C. An Introduction to Modal and Temporal Logics for CCS. In Concurrency: Theory, Language, and Architecture; Springer: Berlin/Heidelberg, Germany, 1989; pp. 2–20. [Google Scholar]
- De Francesco, N.; Lettieri, G.; Santone, A.; Vaglini, G. Heuristic search for equivalence checking. Softw. Syst. Model.
**2016**, 15, 513–530. [Google Scholar] [CrossRef] - Altuwaijri, H.; Ghouzali, S. Android data storage security: A review. J. King Saud Univ.-Comput. Inf. Sci.
**2020**, 32, 543–552. [Google Scholar] [CrossRef] - Kumar, S.; Shukla, S.K. The State of Android Security. In Cyber Security in India; Springer: Berlin/Heidelberg, Germany, 2020; pp. 17–22. [Google Scholar]
- Martinelli, F.; Mercaldo, F.; Nardone, V.; Santone, A.; Sangaiah, A.K.; Cimitile, A. Evaluating model checking for cyber threats code obfuscation identification. J. Parallel Distrib. Comput.
**2018**, 119, 203–218. [Google Scholar] [CrossRef] - Bacci, A.; Bartoli, A.; Martinelli, F.; Medvet, E.; Mercaldo, F. Detection of obfuscation techniques in Android applications. In Proceedings of the 13th International Conference on Availability, Reliability and Security, Hamburg, Germany, 27–30 August 2018; pp. 1–9. [Google Scholar]
- Bacci, A.; Bartoli, A.; Martinelli, F.; Medvet, E.; Mercaldo, F.; Visaggio, C.A. Impact of Code Obfuscation on Android Malware Detection based on Static and Dynamic Analysis. In Proceedings of the ICISSP, Madeira, Portugal, 22–24 January 2018; pp. 379–385. [Google Scholar]
- De Lorenzo, A.; Martinelli, F.; Medvet, E.; Mercaldo, F.; Santone, A. Visualizing the outcome of dynamic analysis of Android malware with VizMal. J. Inf. Secur. Appl.
**2020**, 50, 102423. [Google Scholar] [CrossRef] - Canfora, G.; De Lorenzo, A.; Medvet, E.; Mercaldo, F.; Visaggio, C.A. Effectiveness of opcode ngrams for detection of multi family android malware. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, Toulouse, France, 24–28 August 2015; IEEE: New York, NY, USA, 2015; pp. 333–340. [Google Scholar]
- Arp, D.; Spreitzenbarth, M.; Hubner, M.; Gascon, H.; Rieck, K.; Siemens, C. Drebin: Effective and explainable detection of android malware in your pocket. Ndss
**2014**, 14, 23–26. [Google Scholar] - Wang, W.; Tian, D.; Meng, W.; Jia, X.; Zhao, R.; Ma, R. MSYM: A multichannel communication system for android devices. Comput. Netw.
**2020**, 168, 107024. [Google Scholar] [CrossRef] - Al-Haiqi, A.; Ismail, M.; Nordin, R. A new sensors-based covert channel on android. Sci. World J.
**2014**, 2014, 969628. [Google Scholar] [CrossRef][Green Version] - Shrestha, P.L.; Hempel, M.; Rezaei, F.; Sharif, H. A support vector machine-based framework for detection of covert timing channels. IEEE Trans. Dependable Secur. Comput.
**2015**, 13, 274–283. [Google Scholar] [CrossRef] - Han, J.; Huang, C.; Shi, F.; Liu, J. Covert timing channel detection method based on time interval and payload length analysis. Comput. Secur.
**2020**, 97, 101952. [Google Scholar] [CrossRef] - Guri, M. Magneto: Covert channel between air-gapped systems and nearby smartphones via cpu-generated magnetic fields. Future Gener. Comput. Syst.
**2020**. [Google Scholar] [CrossRef] - Li, L.; Bartel, A.; Bissyandé, T.F.; Klein, J.; Le Traon, Y.; Arzt, S.; Rasthofer, S.; Bodden, E.; Octeau, D.; McDaniel, P. Iccta: Detecting inter-component privacy leaks in android apps. In Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Florence, Italy, 16–24 May 2015; IEEE: New York, NY, USA, 2015; Volume 1, pp. 280–291. [Google Scholar]
- Wei, F.; Roy, S.; Ou, X. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Priv. Secur. (TOPS)
**2018**, 21, 1–32. [Google Scholar] [CrossRef] - Gordon, M.I.; Kim, D.; Perkins, J.H.; Gilham, L.; Nguyen, N.; Rinard, M.C. Information flow analysis of android applications in droidsafe. NDSS
**2015**, 15, 110. [Google Scholar] - Liu, F.; Cai, H.; Wang, G.; Yao, D.; Elish, K.O.; Ryder, B.G. MR-Droid: A scalable and prioritized analysis of inter-app communication risks. In Proceedings of the 2017 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 25–25 May 2017; IEEE: New York, NY, USA, 2017; pp. 189–198. [Google Scholar]
- Bhandari, S.; Herbreteau, F.; Laxmi, V.; Zemmari, A.; Roop, P.S.; Gaur, M.S. Sneakleak: Detecting multipartite leakage paths in android apps. In Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS, Sydney, Australia, 1–4 August 2017; IEEE: New York, NY, USA, 2017; pp. 285–292. [Google Scholar]
- Arabo, A. Mobile App collusions and its cyber security implications. In Proceedings of the 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), Beijing, China, 25–27 June 2016; IEEE: New York, NY, USA, 2016; pp. 178–183. [Google Scholar]
- Xu, M.; Ma, Y.; Liu, X.; Lin, F.X.; Liu, Y. AppHolmes: Detecting and characterizing app collusion among third-party Android markets. In Proceedings of the 26th International Conference on World Wide Web, Perth, Australia, 3–7 April 2017; pp. 143–152. [Google Scholar]
- Aktas, K.; Sen, S. Updroid: Updated android malware and its familial classification. In Proceedings of the Nordic Conference on Secure IT Systems, Oslo, Norway, 28–30 November 2018; Springer: Berlin/Heidelberg, Germany, 2018; pp. 352–368. [Google Scholar]
- Mercaldo, F.; Nardone, V.; Santone, A.; Visaggio, C.A. Download malware? no, thanks: How formal methods can block update attacks. In Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, Austin, TX, USA, 15 May 2016; pp. 22–28. [Google Scholar]
- Mercaldo, F.; Nardone, V.; Santone, A.; Visaggio, C.A. Ransomware steals your phone. Formal methods rescue it. In Proceedings of the International Conference on Formal Techniques for Distributed Objects, Components, and Systems, Heraklion, Greece, 6–9 June 2016; Springer: Berlin/Heidelberg, Germany, 2016; pp. 212–221. [Google Scholar]
- Arabo, A.; Dijoux, R.; Poulain, T.; Chevalier, G. Detecting Ransomware Using Process Behavior Analysis. Procedia Comput. Sci.
**2020**, 168, 289–296. [Google Scholar] [CrossRef]

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Done}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}\\ \overline{)\mathit{DONE}\stackrel{\mathit{\delta}}{\u27f6}\mathit{nil}}\end{array}\phantom{\rule{4pt}{0ex}}$ | (2) | ${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Act}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}\\ \overline{)\alpha .p\stackrel{\alpha}{\u27f6}p}\end{array}\phantom{\rule{4pt}{0ex}}$ | (3) |

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Seq}}_{1}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)p;q\stackrel{\alpha}{\u27f6}{p}^{\prime};q}\end{array}\phantom{\rule{4pt}{0ex}}\alpha \ne \delta $ | (4) | ${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Seq}}_{2}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\delta}{\u27f6}nil\\ \overline{)p;q\stackrel{\delta}{\u27f6}q}\end{array}\phantom{\rule{4pt}{0ex}}$ | (5) |

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Sum}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)p+q\stackrel{\alpha}{\u27f6}{p}^{\prime}}\end{array}\phantom{\rule{4pt}{0ex}}\left(\mathrm{and}\text{}\mathrm{symmetric}\right)$ | (6) | ${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Par}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)p\parallel q\stackrel{\alpha}{\u27f6}{p}^{\prime}\parallel q}\end{array}\phantom{\rule{4pt}{0ex}}\alpha \ne \delta \left(\mathrm{and}\text{}\mathrm{symmetric}\right)$ | (7) |

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Com}}_{2}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}\overline{)p\stackrel{\delta}{\u27f6}{p}^{\prime},\phantom{\rule{4pt}{0ex}}q\stackrel{\delta}{\u27f6}{q}^{\prime}}\\ p\parallel q\stackrel{\delta}{\u27f6}DONE\end{array}\phantom{\rule{4pt}{0ex}}$ | (8) | ${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Com}}_{1}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}\overline{)p\stackrel{l}{\u27f6}{p}^{\prime},\phantom{\rule{4pt}{0ex}}q\stackrel{\overline{l}}{\u27f6}{q}^{\prime}}\\ p|q\stackrel{\tau}{\u27f6}{p}^{\prime}|{q}^{\prime}\end{array}\phantom{\rule{4pt}{0ex}}$ | (9) |

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Res}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)p\backslash L\stackrel{\alpha}{\u27f6}{p}^{\prime}\backslash L}\end{array}\phantom{\rule{4pt}{0ex}}\alpha \notin {L}^{+}$ | (10) | ${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Rel}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)p\left[f\right]\stackrel{f\left(\alpha \right)}{\u27f6}{p}^{\prime}\left[f\right]}\end{array}\phantom{\rule{4pt}{0ex}}$ | (11) |

${\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\mathbf{Con}}_{}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\phantom{\rule{4pt}{0ex}}\begin{array}{c}p\stackrel{\alpha}{\u27f6}{p}^{\prime}\\ \overline{)x\stackrel{\alpha}{\u27f6}{p}^{\prime}}\end{array}\phantom{\rule{4pt}{0ex}}x\underset{}{\overset{\mathrm{def}}{=}}p$ | (12) |

$p{\u22ad}_{}\mathrm{ff}$ | and | p${\vDash}_{}\mathtt{tt}$ | (14) | |

$p{\vDash}_{}\phi \wedge \psi $ | iff | $p{\vDash}_{}\phi \text{}\mathrm{and}\text{}p{\vDash}_{}\psi $ | (15) | |

$p{\vDash}_{}\phi \vee \psi $ | iff | $p{\vDash}_{}\phi \text{}\mathrm{or}\text{}p{\vDash}_{}\psi $ | (16) | |

$p{\vDash}_{}{\left[K\right]}_{}\phi $ | iff | $\forall {p}^{\prime}.\forall \alpha \in K.p\stackrel{\alpha}{\u27f6}{p}^{\prime}\mathrm{implies}\text{}{p}^{\prime}{\vDash}_{}\phi $ | (17) | |

$p{\vDash}_{}{\langle K\rangle}_{}\phi $ | iff | $\exists {p}^{\prime}.\exists \alpha \in K.p\stackrel{\alpha}{\u27f6}{p}^{\prime}\phantom{\rule{4pt}{0ex}}\mathrm{and}\text{}\phantom{\rule{4pt}{0ex}}{p}^{\prime}{\vDash}_{}\phi $ | (18) | |

$p{\vDash}_{}\nu Z.\phi $ | iff | $p{\vDash}_{}\nu {Z}^{n}.\phi \text{}\mathrm{for}\text{}\mathrm{all}\text{}n$ | (19) | |

$p{\vDash}_{}\mu Z.\phi $ | iff | $p{\vDash}_{}\mu {Z}^{n}.\phi \text{}\mathrm{for}\text{}\mathrm{some}\text{}n$ | (20) | |

where: | ||||

- for each n, νZ^{n}.φ and μZ^{n}.φ are defined as: | ||||

νz^{0}.φ = tt
| μZ^{0}.φ = ff
| |||

νz^{n+1}.φ = φ[νz^{n}.φ/Z]
| μZ^{n+1}.φ = φ[μZ^{n}.φ/Z]
| |||

where the notation φ[ψ/Z] indicates the substitution of ψ for every free occurrence of the variable Z in φ. |

**Table 3.**The ${\phi}_{PUT}$ property detects methods invoking $PUT$ operations on $SharedPreferences$, while the ${\phi}_{GET}$ property detects methods invoking $GET$ operations on $SharedPreferences$.

$Formula\_SP\_PUT$ | ||

${\phi}_{PUT}$ | = | $\mu X.{\langle invokegetSharedPreferences\rangle}_{}\text{}{\phi}_{PU{T}_{1}}\vee $ |

${\langle -invokegetSharedPreferences\rangle}_{}\text{}X$ | ||

${\phi}_{PU{T}_{1}}$ | = | $\mu X.{\langle invokeedit\rangle}_{}$$\text{}{\phi}_{PU{T}_{2}}\vee {\langle -invokeedit\rangle}_{}\text{}X$ |

${\phi}_{PU{T}_{2}}$ | = | $\mu X.{\langle invokeputString,invokeputInt,invokeputFloat\rangle}_{}$$\text{}{\phi}_{PU{T}_{3}}\vee $ |

${\langle -invokeputString,invokeputInt,invokeputFloat\rangle}_{}\text{}X$ | ||

${\phi}_{PU{T}_{3}}$ | = | $\mu X.{\langle invokecommit\rangle}_{}\mathtt{tt}\vee {\langle -invokecommit\rangle}_{}X$ |

$Formula\_SP\_GET$ | ||

${\phi}_{GET}$ | = | $\mu X.{\langle invokegetSharedPreferences\rangle}_{}\text{}{\phi}_{GE{T}_{1}}\vee $ |

${\langle -invokegetSharedPreferences\rangle}_{}\text{}X$ | ||

${\phi}_{GE{T}_{1}}$ | = | $\mu X.{\langle invokegetString,invokegetInt,invokegetFloat\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokegetString,invokegetInt,invokegetFloat\rangle}_{}\text{}X$ |

**Table 4.**The ${\chi}_{PUT}$ property detects methods invoking $PUT$ operations on $ExternalStorage$, while the ${\chi}_{GET}$ property detects methods invoking $GET$ operations on $ExternalStorage$.

$Formula\_ES\_PUT$ | ||

${\chi}_{PUT}$ | = | $\mu X.\langle invokegetExternalStorageDirectory\rangle \text{}{\chi}_{PU{T}_{1}}\vee $ |

${\langle -invokegetExternalStorageDirectory\rangle}_{}\text{}X$ | ||

${\chi}_{PU{T}_{1}}$ | = | $\mu X.{\langle invokewrite\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokewrite\rangle}_{}\text{}X$ | ||

$Formula\_ES\_GET$ | ||

${\chi}_{GET}$ | = | $\mu X.{\langle invokegetExternalStorageDirectory\rangle}_{}\text{}{\chi}_{GE{T}_{1}}\vee $ |

${\langle -invokegetExternalStorageDirectory\rangle}_{}\text{}X$ | ||

${\chi}_{GE{T}_{1}}$ | = | $\mu X.{\langle invokereadFully\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokereadFully\rangle}_{}\text{}X$ |

**Table 5.**The ${\psi}_{PUT}$ property detects methods invoking $PUT$ operations on $BroadcastReceiver$, while the ${\psi}_{GET}$ property detects methods invoking $GET$ operations on $BroadcastReceiver$.

$Formula\_BR\_PUT$ | ||

${\psi}_{PUT}$ | = | $\mu X.{\langle invokeputExtra\rangle}_{}\text{}{\psi}_{PU{T}_{1}}\vee $ |

${\langle -invokeputExtra\rangle}_{}\text{}X$ | ||

${\psi}_{PU{T}_{1}}$ | = | $\mu X.{\langle invokesendBroadcast\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokesendBroadcast\rangle}_{}\text{}X$ | ||

$Formula\_BR\_GET$ | ||

${\psi}_{GET}$ | = | $\mu X.{\langle invokegetStringExtra\rangle}_{}\text{}{\psi}_{GE{T}_{1}}\vee $ |

${\langle -invokegetStringExtra\rangle}_{}\text{}X$ | ||

${\psi}_{GE{T}_{1}}$ | = | $\mu X.{\langle invokestart\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokestart\rangle}_{}\text{}X$ |

**Table 6.**The ${\rho}_{PUT}$ property detects methods invoking $PUT$ operations on $RemoteProcedureCalls\left(RPCs\right)$, while the ${\rho}_{GET}$ property detects methods invoking $GET$ operations by exploiting $RPC$.

$Formula\_RPC\_PUT$ | ||

${\rho}_{PUT}$ | = | $\mu X.{\langle invokeputExtra\rangle}_{}\text{}{\rho}_{PU{T}_{1}}\vee $ |

${\langle -invokeputExtra\rangle}_{}\text{}X$ | ||

${\rho}_{PU{T}_{1}}$ | = | $\mu X.{\langle invokestartService\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokestartService\rangle}_{}\text{}X$ | ||

$Formula\_RPC\_GET$ | ||

${\rho}_{GET}$ | = | $\mu X.{\langle invokegetStringExtra\rangle}_{}\text{}{\rho}_{GE{T}_{1}}\vee $ |

${\langle -invokegetStringExtra\rangle}_{}\text{}X$ | ||

${\rho}_{GE{T}_{1}}$ | = | $\mu X.{\langle invokevirtual\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -invokevirtual\rangle}_{}\text{}X$ |

**Table 7.**The properties automatically generated for the $\tau $-automaton shown in Listing 4: the ${\zeta}_{push1}$ property is related to the $pushConstant1$ action, the ${\zeta}_{push2}$ property is related to the $pushConstant2$ action and the ${\zeta}_{push3}$ property is related to the $pushConstant3$ action.

$Formula\_Constant1\_push$ | ||

${\zeta}_{push1}$ | = | $\mu X.{\langle invokegetExternalStorageDirectory\rangle}_{}\text{}{\zeta}_{push12}\vee $ |

${\langle -invokegetExternalStorageDirectory\rangle}_{}\text{}X$ | ||

${\zeta}_{push12}$ | = | $\mu X.{\langle pushConstant1\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -pushConstant1\rangle}_{}\text{}X$ | ||

$Formula\_Constant2\_push$ | ||

${\zeta}_{push2}$ | = | $\mu X.{\langle invokegetExternalStorageDirectory\rangle}_{}\text{}{\zeta}_{push22}\vee $ |

${\langle -invokegetExternalStorageDirectory\rangle}_{}\text{}X$ | ||

${\zeta}_{push22}$ | = | $\mu X.{\langle pushConstant2\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -pushConstant2\rangle}_{}\text{}X$ | ||

$Formula\_Constant3\_push$ | ||

${\zeta}_{push3}$ | = | $\mu X.{\langle invokegetExternalStorageDirectory\rangle}_{}\text{}{\zeta}_{push32}\vee $ |

${\langle -invokegetExternalStorageDirectory\rangle}_{}\text{}X$ | ||

${\zeta}_{push32}$ | = | $\mu X.{\langle pushConstant3\rangle}_{}\text{}\mathtt{tt}\vee $ |

${\langle -pushConstant3\rangle}_{}\text{}X$ |

**Table 8.**Malware families in the Drebin data-set. We selected the 10 most populous families in this repository, for a total of 100 non-colluding malware (10 samples for family). We indicate in the Inst. column the payload delivering (standalone, repackaging, and update), in the attack column the kind of attack (trojan and botnet) and in the Activation column the operating system events triggering the malicious payload.

Family | Inst. | Attack | Activation |
---|---|---|---|

FakeInstaller | s | t,b | |

DroidKungFu | r | t | boot,batt,sys |

Plankton | s,u | t,b | |

Opfake | r | t | |

GinMaster | r | t | boot |

BaseBridge | r,u | t | boot,sms,net,batt |

Kmin | s | t | boot |

Geinimi | r | t | boot,sms |

Adrd | r | t | net,call |

DroidDream | r | b | main |

**Table 9.**We find the three types of attack treated in this work, and for each of them we have the number of PUT applications and the number of GET applications. In particular, for the SharedPreferences, we report the division of the application number by type of resource.

Type of Attack | PUT | GET |
---|---|---|

SharedPreferences | 90 (80 String, 5 Int, 5 Float) | 90 (80 String, 5 Int, 5 Float) |

ExternalStorage | 80 | 80 |

BroadcastReceiver | 81 | 81 |

RemoteProcedureCall | 10 | 10 |

Precision | Recall | F-Measure | Specificity | Accuracy |
---|---|---|---|---|

1 | 1 | 1 | 1 | 1 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Casolare, R.; Martinelli, F.; Mercaldo, F.; Santone, A. Detecting Colluding Inter-App Communication in Mobile Environment. *Appl. Sci.* **2020**, *10*, 8351.
https://doi.org/10.3390/app10238351

**AMA Style**

Casolare R, Martinelli F, Mercaldo F, Santone A. Detecting Colluding Inter-App Communication in Mobile Environment. *Applied Sciences*. 2020; 10(23):8351.
https://doi.org/10.3390/app10238351

**Chicago/Turabian Style**

Casolare, Rosangela, Fabio Martinelli, Francesco Mercaldo, and Antonella Santone. 2020. "Detecting Colluding Inter-App Communication in Mobile Environment" *Applied Sciences* 10, no. 23: 8351.
https://doi.org/10.3390/app10238351