Picker Blinder: a framework for automatic injection of malicious inter-app communication

Malware writers, with the aim to elude the current detection mechanism implemented by commercial and free anti-malware, are finding new ways to develop new aggressive attack paradigms. Current anti-malware basically suffer about the following limitations: the first one is that they are not able to detect zero-day malware: as a matter of fact, to mark an application as malware they need to know the malicious payload signature. With regard to the second limitation, they are able to scan only one application at a time: this is the reason why a type of malware characterized by the colluding attack, where the malicious behaviour is divided between several applications, can never be detected. To demonstrate the ineffectiveness of current anti-malware in detecting colluding attacks, in this paper we design a method aimed to automatically inject a malicious payload in two or more different Android applications. We implemented the proposed method into a framework that we called Picker Blinder. In a nutshell, Picker Blinder is able to inject a collusive malicious payload exploiting two different channels (i.e., SharedPreferences and Sockets), allowing the attacker to catch sensitive and private information stored into the infected device. We perform an experimental analysis by submitting 398 colluding applications to different 79 anti-malware, by showing that current detection mechanisms are not able to detect this kind of threat.