Four UK universities will share £3m of funding to develop systems protecting smartphone users against malicious colluding apps.
The funding, available through the Engineering and Physical Sciences Research Council (EPSRC), will go to two research teams - one at the Royal Holloway University of London, and the second a joint group between City University London, Coventry and Swansea Universities.
One of the areas the teams will try to address is the growing problem of so-called colluding apps. Such apps rely on cooperation between several applications, one of which gets access to the smartphone user’s personal data only to transfer them to another app, allowed to transmit data to the network. In this way, cyber-criminals can get hold of the users’ sensitive information.
“You may think that the phone in your pocket is safe, but think again,” said Lorenzo Cavallaro, lecturer in the Information Security Group at Royal Holloway University of London. “We’re used to considering our phones as a trusted, private channel of communication, and suitable to receive authentication information to access specific online services. Unfortunately, this information can be leaked or abused by colluding malware if the mobile device is infected.”
The researchers will try to develop software that can detect the presence of such malicious apps without alerting the attacker.
“Currently almost all academic and industry efforts are focusing on single malicious apps; almost no attention has been given to colluding apps. Existing antivirus products are not designed to detect collusion,” said Professor Tom Chen, a leading researcher at City University London.
At the first place, the team will focus on Android apps, as the system’s open design poses additional risks.
Android relies on restricting apps by combining digital signatures, sandboxing, and permissions. These restrictions, however, can be bypassed without the user noticing by colluding apps whose combined permissions allow them to carry out attacks that neither app could carry out alone.
Antivirus company McAfee will become a partner of the research teams and will provide them with access to a library of safe apps.
“We’re up against really sophisticated malware - some even used by nation states for spying,” said Igor Muttik, a Senior Principal Architect at McAfee. “All attackers are well aware of the technology involved in detecting and tracking them. These cybercriminals often take an industrial approach to malware; they try to maximise their benefits from it. So, we need to constantly raise the bar by improving the technology and this will make it more complex and less profitable for them to operate.”
Malware attack numbers have been continuously rising over the past years. In 2013 only, more than one million new Android malware attacks were identified by McAfee, a division of Intel Security.
Malicious apps can gain access to address books, GPS coordinates, passwords or pin numbers. They can redirect data of smartphone users across the net, send them to phishing sites and easily bypass the two-step authentication process used to access an ever-increasing number of online services such as banking or email.
Criminals can monetise this information in a number of ways – by getting your phone to send messages to premium numbers, by remotely controlling an infected phone, by tricking the user into revealing passwords and by directly using the stolen data.
“Be careful which apps you download, particularly if downloading from an unofficial app store, and be wary of an app which asks you to grant lots of permissions before it is installed,” Professor Chen warns smartphone users.