Vulnerability Detection of Multiple Layer Colluding Application through Intent Privilege Checking

In recent years, the privilege escalation attacks can be performed based on collusion attacks. However, a novel privilege escalation attack is Multiple Layer Collusion Attack, which can divide collusion applications into three parts: Spyware, Deputy and Delivery. Spyware steals private data and transmits data to Deputy. Next, Deputy doesn´t need to declare any permissions and just bypass data to Delivery. Colluding attack escapes from malware detection through Deputy. In this paper, we propose a mechanism which is capable to detect both capability and deputy leaks. First, we decode APK file to resources and disassembly code. To extract function calls, our system constructs correlation map from source data to intent through API calls, in which, URIs are potential permissions whether Intent has vulnerabilities or not. Hence, we need to trace the potential function-call and overcome the Inter- component communication. The experiment results prove that deputy applications exist in Android official market, Google Play.