SteælErgon: A Framework for Injecting Colluding Malicious Payload in Android Applications

Mobile malware is growing in number and its complexity is constantly increasing. Malware authors are continuously looking new ways to elude anti-malware controls. Anti-malware are not able to detect zero-day malware, because to detect malicious behaviour they need to know its signature, but to have this information the malware must already be widespread. Furthermore, anti-malware are able to scan one application at a time: for this reason a type of malware characterized by the colluding attack, where the malicious action is split in two (or more) applications, can not be recognised. To demonstrate the ineffectiveness of current anti-malware mechanisms in recognizing colluding attacks, in this paper we propose SteælErgon, a framework aimed to inject a malicious payload in two or more different Android applications. Clearly the malicious payload will be executed once all the applications composing the collusive attacks are installed into the infected device. In detail, SteælErgon is able to inject a collusive malicious payload attacking the external storage, allowing the attacker to catch sensitive and private information stored into the infected device. We perform an experimental analysis by submitting the generated colluding application to different 79 anti-malware, by showing that current detection mechanism are not able to detect this kind of threat. To boost research in focusing the attention in colluding attacks we freely release SteælErgon, is available for research purposes at the following url: https://github.com/vigimella/StealErgon.