Colluding Covert Channel for Malicious Information Exﬁltration in

Android Environment

Rosangela Casolare

, Fabio Martinelli

, Francesco Mercaldo

2,3

and Antonella Santone

Department of Biosciences and Territory, University of Molise, Pesche (IS), Italy

Department of Medicine and Health Sciences “Vincenzo Tiberio”, University of Molise, Campobasso, Italy

Institute for Informatics and Telematics, National Research Council of Italy, Pisa, Italy

{fabio.martinelli, francesco.mercaldo}@iit.cnr.it

Keywords:

Android, Security, Model Checking, Formal Methods, Privacy.

Abstract:

Mobile devices store a lot of sensitive and private information. It is easy from the developer point of view

to release the access to sensitive and critical assets in mobile application development, such as Android. For

this reason it can happen that the developer inadvertently causes sensitive data leak, putting users’ privacy

at risk. Recently, a type of attack that creates a capability to transfer sensitive data between two (or more)

applications is emerging i.e., the so-called colluding covert channel. To demonstrate this possibility, in this

work we design and develop a set of applications exploiting covert channels for malicious purposes, which

uses the smartphone accelerometer to perform a collusion between two Android applications. The vibration

engine sends information from the source application to the sink application, translating it into a vibration

pattern. The applications have been checked by more than sixty antimalware which did not classify them as

malware, except for two antimalware which returned a false positive.

1 INTRODUCTION

The large-scale spread of Android based devices has

led to the implementation of a large number of mali-

cious software (i.e., malware) aimed at stealing con-

ﬁdential information. Sensitive data, managed and

stored inside our smartphones, attract the attention

of malicious developers that, by exploiting the weak-

nesses of the security features provided by the oper-

ating system developed by Google and taking advan-

tage of users’ carelessness, can cause great damage.

In May 2020, there were about 430,000 malware

attacks on Android devices, a 3.6% increase over the

previous month. Instead, in August 2020 the growth

was 6.26% compared to July

Android is the operating system in mobile en-

vironment most popular, with a market share about

74.6%

. This feature combined with being open

source, makes Android interesting in the eyes of cy-

bercriminals, because by rebuilding the source code

https://news.drweb.com/show/review/?i=13991&lng=

https://www.statista.com/statistics/272698/global-

market-share-held-by-mobile-operating-systems-since-

2009/

it is possible to create customized operating systems

(Enck et al., 2014; Enck, 2011). There is also the

possibility of installing applications from third-party

stores, but downloading applications from sources of

unknown origin is very dangerous, as they are not

subject to the security controls present in the ofﬁcial

stores (for Android it is Google Play Store), even if

malicious applications may also be present in the ofﬁ-

cial stores, in smaller quantities than to unofﬁcial ones

(Nguyen et al., 2020; Canfora et al., 2018).

Recently, cybercriminals are working for develop-

ing new threats to perpetrate more and more harm-

ful actions, with the aim to evade the current free

and commercial antimalware, mainly signature-based

(Cimitile et al., 2018; Mercaldo et al., 2016a). One

of these new threats is represented by the collusion

attack. The rationale behind this emerging attack is

to split the malicious action in two or more applica-

tions able to perform a communication for sensitive

data exﬁltration and sharing (Casolare et al., 2020a).

This type of attack avoids that an application with too

many permissions being immediately reported by the

security mechanisms (i.e., antimalware) or that makes

the user suspicious (Mahboubi et al., 2017; Cimino

et al., 2020; Mercaldo et al., 2016b).

Casolare, R., Martinelli, F., Mercaldo, F. and Santone, A.

Colluding Covert Channel for Malicious Information Exﬁltration in Android Environment.

DOI: 10.5220/0010396708110818

In Proceedings of the 7th International Conference on Information Systems Security and Privacy (ICISSP 2021), pages 811-818

ISBN: 978-989-758-491-6

811

As matter of fact, to access to user sensitive re-

sources stored in the devices (for instance the contact

list or the device localisation), the developer must ex-

plicitly declare the related permissions in the appli-

cation. To avoid a single application having all ac-

cesses guaranteed to complete the attack and there-

fore being classiﬁed as a threat from the antimalware,

it is possible to split the malicious action (i.e., the per-

mission request) into multiple applications which will

then ”complete” each other. For example, an appli-

cation could have the authorization to read sensitive

data but not the one to access the internet, so it would

not represent any threat to the user and would come

out unscathed from an antimalware scan. Similarly,

an application with network access permissions but

without the ability to access sensitive data would not

arouse suspicion.

If the two applications are performing a collusion,

they will be able to collect the data and send it over

the network without the attack being intercepted. To

ensure that transmission between applications occurs

undetected, it is important to create a hidden, unde-

tectable communication channel.

This type of attack is called covert channel pre-

cisely because it allows data to be transferred through

a channel not designed to transmit information, but

which can be used for this purpose to hide communi-

cation (Shrestha et al., 2015). The advantage is that,

unlike communication channels, covert channels are

not subjected to the control and security mechanisms

of the operating system, making transmission partic-

ularly difﬁcult to identify.

In this article we design and we implement the

colluding cover channel attack in Android environ-

ment. To do this, we exploit the vibration sensor,

present on all mobile devices, as a communication

channel to send sensitive information between appli-

cations installed on the same device. To test the func-

tioning of the communication, three different real-

world smartphones have been considered, in order to

validate the correctness of the work.

The goal of this work is to demonstrate the

effectiveness of this attack and to make available

to the research community a data-set that per-

forms this type of colluding attack, which can

be downloaded for research purposes at the fol-

lowing link: https://mega.nz/folder/E0wwRABD#

YM7U7sru5ZvD6ijsCbKH4Q.

The paper’s organization is the following: in sec-

tion 2 we describe the different types of covert chan-

nels and their functionality; in section 3 we explain

how is composed the proposed data-set and in partic-

ular which is the process to obtain the necessary per-

missions; section 4 shows how data are converted and

sent, and the results obtained with antimalware anal-

ysis; in section 5 current state-of-the-art literature is

analyzed and, ﬁnally, conclusion and future research

lines are drawn in section 6.

2 UNDERSTANDING THE

COVERT CHANNEL

COMMUNICATION

Android implements a permissions-based security

model in order to limit the actions that each appli-

cation can perform. A collusion attack is able to

”break” this model, distributing the permissions it

needs across multiple applications.

Applications are classiﬁed as source when they al-

low information to escape from the device thanks to

read permissions, instead they are classiﬁed as sink

when they receive data and send it outside thanks to

connection permissions.

The covert channels are those channels not in-

tended for the transfer of information, which can be

used for this purpose through the manipulation of a

speciﬁc resource, ensuring a particularly useful com-

munication when you want to steal sensitive informa-

tion. We have two type of covert channels (Shrestha

et al., 2015):

• Covert Storage Channel: it communicates infor-

mation by modifying the data of a speciﬁc re-

source, which will then be read by the recipient.

• Covert Timing Channel: it works by altering the

time required to perform a function or to use a re-

source, the recipient decodes the message by in-

terpreting these time gap between packets.

In both cases it is necessary to access a shared re-

source by the process that sends the data and by the

process that receives them, in order for communica-

tion to take place.

In (Marforio et al., 2012) authors report some of

the most relevant covert channels, among which we

have:

• Single and Multiple Settings: here the source ap-

plication changes a smartphone system setting

(i.e., volume, vibrations, screen) and the sink ap-

plication then read the altered resource.

• Type of Intents: the data are sent via an intent,

not by inserting them in the payload, but they are

encoded in the intent type.

• Threads Enumeration: in this case the source ap-

plication encodes the information for a certain

number of threads, then the sink application reads

data by monitoring the number of active threads.

ForSE 2021 - 5th International Workshop on FORmal methods for Security Engineering

812

• UNIX Socket Discovery: the source application

uses two sockets, one for synchronization and one

for communication, the application sink reads the

data by checking the status of the latter socket.

• Fee Space on Filesystem: the information is sent

by source application by writing and deleting data

from the disk.

• Timing Channel: the source application performs

high intensity activities to send bits of value 1, in-

stead, for the transmission of bits of value 0, it

does not perform any activity. The application

sink continuously performs high-intensity activi-

ties and depending on the time it takes to complete

them, is able to detect the message.

• Processor Frequency: it is an improvement of

Timing Channel, where the source application

have the same behaviour just described, instead

the sink application checks the CPU frequency

with queries and read the bit sent via the alter-

ations caused by the source.

3 THE COLLUDING COVERT

CHANNEL ATTACK DESIGN

In this work we have designed and developed a data-

set composed by six source applications to obtain sen-

sitive and private data and another one (i.e., the sink

application) that receives it. In order to launch a col-

luding attack, the source applications have the nec-

essary permissions to access the data of their interest,

while the sink applications have access permissions to

internet so they can transmit this data to the attacker.

3.1 Source Applications

We implement a hidden communication for the infor-

mation exchange, based on the variation of the ac-

celerometer data on Android devices. To encode the

messages, the source applications exploit the vibra-

tion engine considered to modulate the sensor data

able to detect device movements. Consequently, the

sink application extracts the data contained into the

variation of vibrations, as shown in Figure 1. This

communication takes place during the night hours,

when the device is less used, so as not to arouse sus-

picion in the unaware user.

Once the authorizations to read the data have been

received, the source applications start a service to set

up the encryption, the synchronization of the trans-

mission and the sending of data. The required per-

missions are:

• Foreground Service: they are used to ensure that

the background services of the source applications

are not subject to limitations due to excessive bat-

tery consumption. The Foreground Services man-

ifest their activity to the user through a notiﬁca-

tion that cannot be deleted unless the service is

stopped and they continue their execution even if

the user does not interact with the application.

To start the Foreground Service, the application

uses the startForegroundService() method and it

has ﬁve seconds to call startForeground() method,

in order to show the notiﬁcation before the service

is stopped. This procedure needs the appropriate

permission.

• Vibrate: it gives permission for access to the vi-

bration motor, which guarantees the encoding of

the data to be sent to the sink application by alter-

ing the sensor values.

• Wake Lock: they keep the CPU active and pre-

vent the screen from turning off. The device can-

not enter sleep state as long as there is an ac-

tive Wake Lock, thus causing the battery to drain

quickly. To take advantage of this permission, the

PowerManager class is used.

In addition to the permissions listed above, which be-

ing normal permissions do not require the consent of

the user, each application of the data-set has a fourth

permission that must be explicitly given by the user

and changes according to the information to be ac-

cessed (and which will then be sent to the sink appli-

cation).

The developed applications are able to steal sensi-

tive and private information, such as:

• SMS: using the READ STATE permission, a ma-

licious application has the ability to read the last

SMS sent (or received), thus accessing the user’s

private conversations.

• E-mail Address: using the GET ACCOUNTS

permission, the application is able to retrieve all

e-mail addresses stored in AccountManager.

• Telephone Number: using the

READ PHONE STATE permission, the ap-

plication can access to the telephone number and

know the information about the network and the

status of ongoing calls.

• IMEI code: it is a 15 digit numeric code that

uniquely identiﬁes the smartphone. It is useful

for locking the device in case of theft and pro-

vides its location at a given time. Also in this case

the permission used to obtain the IMEI code is

READ PHONE STATE.

Colluding Covert Channel for Malicious Information Exﬁltration in Android Environment

813

Figure 1: Workﬂow of the proposed colluding attack.

• Contact List: using the READ CONTACTS per-

mission, the malicious application is able to ac-

cess to the user’s contact list by obtaining for

each contact: number and name. The attacker can

thus use the contacts obtained to obtain others and

launch new attacks.

• Calendar Events: using the READ CALENDAR

permission, the application can read information

about the events contained into the calendar, such

as title, description, position, date and time. The

attacker can thus learn the user’s habits or know

where he will be on a certain day at a certain time.

The antimalware are not able to classify these applica-

tions as threats and the same goes for users, because

they can only read data. It will be the sink applica-

tion to help them to share the information through the

network.

The six source applications are composed by the

same components, the difference concerns the per-

missions to read data described above. We have

three components: MainActivity, SourceService and

AlarmBroadcastReceiver.

MainActivity requires the permissions for access

to sensitive information, once obtained, by means of

an intent is started SourceService, thanks to startFore-

groundService() method. The SourceService calls the

createNotiﬁcation() method, which is used to create

the notiﬁcation to be passed as a parameter to the

startForeground() method, to avoid stopping the ser-

vice.

The SourceService collects the target data of the at-

tack through a different method for each of the six

source applications (in some cases this function is per-

formed by the MainActivity, which will then pass the

information within the intent to start the service).

Using an AlarmManager, the time at which synchro-

nization with the sink application takes place to start

sending data is set. Then AlarmManager creates an

alarm that sends an intent to the AlarmBroadcastRe-

ceiver, so that the service can transmit the data every

day at the same time (Figure 2).

Before sending the data, the service must encode

them in such a way as to create a vibration pattern to

allow the accelerometer values to be changed. The

information must be converted to binary, as there are

two states of the vibration engine: 1 vibration, 0 no

vibration. Extended ASCII code, an 8-bit coding sys-

tem, was used for data encoding.

The Vibrator class is used to manage vibrations,

which, using the vibrate() method, makes the smart-

phone vibrate in a certain way. An array of type long

is passed to the method indicating how to turn vi-

bration on and off. Each element of the array rep-

resents the time (in milliseconds) in which the device

must vibrate or not. The ﬁrst value indicates the time

to wait before the vibration motor is activated; the

ForSE 2021 - 5th International Workshop on FORmal methods for Security Engineering

814

Figure 2: Code snippet about the time setting to synchronize the two colluding apps.

second value indicates the time in which it must vi-

brate; the third value indicates the time in which it

must deactivate and so on, alternating periods of vi-

brations and periods of ”rest”. The createPattern()

method was implemented to create the pattern. With

the onSensorChanged() method, contained in the Sen-

sorEventListener class implemented by the service, it

is possible to check whether the user is using the de-

vice or not. This method is called when there is a

new sensor event. If onSensorChanged() does not de-

tect any movement of the device during the agreed

time period, it calls sendData() after this time, with

which the actual data transmission begins. The send-

Data() method invokes createPattern() and gives the

created pattern to the Vibrate method, which receives

the value ”-1” to avoid to repeat the vibration path just

executed. Then is invoked postDelayed, a method that

uses two parameters (Runnable and an Int value) to

postpone screenOn method according to the duration

of the vibration path.

3.2 Sink Application

The sink application, after starting the service, syn-

chronizes with the source application and begins read-

ing the accelerometer data, recording them and enter-

ing them into the network. The sink application re-

quires two permissions:

• Foreground Service: as described above, it cre-

ates the service for communication.

• Internet: it allows to use network sockets to con-

nect to the internet, so as to send data to the at-

tacker and terminate the attack.

Also the sink application is composed by three com-

ponents: MainActivity, SinkService and AlarmBroad-

castReceiver.

MainActivity and AlarmBroadcastReceiver per-

form the same functions described for the source ap-

plication, except for requesting permissions, which is

not needed for the sink application. The SinkService

must call the createNotiﬁcation() to avoid a shutdown

and then set the alarm to synchronize its operation

with that of the other applications.

Once it receives the signal from the AlarmBroadcas-

tReceiver, it checks that the device is not using onSen-

sorChanged(). This method assigns the acceletome-

ter three ﬂoat variables, according to the x, y and z

coordinates, allowing us to read the changes in the

sensor data caused by vibrations and capture the in-

formation sent. If the smartphone movement is de-

tected, the communication stops, otherwise the ser-

vice invokes receiveData(), that checks that the de-

vice is suspended. The communication then contin-

ues in the manner described above, until the source

application communicates to the SinkService that it

can terminate the data collection.

If the screen is off, the postDelayed() method is

called by the handler to start recData() in order to

read the data in another way: this method records the

values related to the three of the accelerometer in a

ﬂoat-type array, repeating this process several times

during the time it takes the source application service

to send a single bit. Meanwhile, the ﬁrst mode is per-

formed, which consists of inserting bits with value 1

or value 0 in an int type array, based on the value as-

sumed by one of the three sensor coordinates. Each

time interval (equals to the milliseconds in which a

single bit is sent by the SourceService) is restarted re-

ceiveData(). If the screen turns on, the PowerMan-

ager class, having detected the Wake Lock, calls the

method to save the ﬂoat array in an internal applica-

tion ﬁle and the one to decode the bits, extracting the

information (Figure 3).

4 ANTIMALWARE ANALYSIS

To test the effectiveness of attack model we designed,

the developed Android applications have been in-

Colluding Covert Channel for Malicious Information Exﬁltration in Android Environment

815

Figure 3: Code snippet related to the accelerometer data collection.

stalled on three different real-world devices: Sam-

sung Galaxy S8 (released in 2017, Android version:

Android 7.0 Nougat), Huawei P10 Plus (released in

2017, Android version: Android 7.0 Nougat), Oppo

Reno2 (released in 2019, Android version: Android

9.0 Pie).

On all the considered Android device models the

attacks were correctly perpetrated. During the ex-

perimental analysis, the applications always managed

to synchronize, sending and receiving data on sched-

ule. Tests were carried out on the ability to be able to

pick up data, encode them without errors in the vibra-

tion pattern, and the actual ability of the channel to

carry data was tested, so that the sink application can

receive the correct message. The channel has been

tested by sending messages of various lengths, based

on the type of information contained.

Here there is an example of a message exchanged

between the colluding apps based on the e-mail,

along with its binary representation:

attacker@collusion.com

01100001 01110100 01110100 01100001 01100011

01101011 01100101 01110010 01000000 01100011

01101111 01101100 01101100 01110101 01110011

01101001 01101111 01101110 00101110 01100011

01101111 01101101

Each bit is transmitted with an interval of 400

milliseconds, making the vibration motor follow the

following pattern:

0, 800, 1600, 400, 400, 1200, 400, 400, 1200,

1200, 400, 400, 1200, 800, 1600, 400, 400, 800,

1200, 800, 400, 800, 400, 400, 400, 800, 400, 800,

800, 400, 400, 400, 400, 1200, 800, 400, 800, 400,

2800, 800, 1200, 800, 400, 800, 400, 1600, 400, 800,

400, 800, 1200, 800, 400, 800, 1200, 1200, 400, 400,

400, 400, 400, 1200, 800, 800, 400, 800, 400, 400,

800, 400, 400, 800, 400, 1600, 400, 800, 400, 1200,

1200, 400, 400, 1200, 800, 800, 1200, 800, 400, 800,

400, 1600, 400, 800, 400, 800, 400, 400

The part highlighted in red in the pattern is the

one corresponding to the ﬁrst byte of the e-mail

conversion to binary. When there are consecutive

bits of the same type, the 400 milliseconds interval

is added by their number (i.e., 011100 will be [0,

1200, 800]). The 400 milliseconds interval allowed to

eliminate the error rate, otherwise the sink application

would not be able to separate the bits correctly. It

took 70.4 seconds for the message to be sent (with a

transmission rate equal to 2.5 bps).

About the data extraction carried out on the

device, we had problems choosing the coordinate

from which to read the vibration: x, y, z or a com-

ForSE 2021 - 5th International Workshop on FORmal methods for Security Engineering

816

Table 1: VirusTotal classiﬁcation results.

Application Name Trusted For N

◦

Antimalware Not Trusted For N

◦

Antimalware FP

SinkApp.apk 62/62 0/62 0

SMSSourceApp.apk 61/62 1/62 1

EmailSourceApp.apk 63/63 0/63 0

TelSourceApp.apk 62/63 1/63 1

IMEISourceApp.apk 62/62 0/62 0

ContactsSourceApp.apk 62/62 0/62 0

CalendarSourceApp.apk 63/63 0/63 0

bination of them. Acceleration along the x axis and

acceleration along the z axis were the best ﬁgures

for Samsung and Huawei. For the Oppo it was only

possible to obtain information on the x axis.

The applications developed have been checked

by VirusTotal

, an online antivirus service owned by

Google, which scans ﬁles and URLs to detect any

malware. The analysis takes place with more than 60

scanning engines and can also be used to ﬁnd ”false

positives” (i.e., ﬁles that are not dangerous but recog-

nized as such).

Once scanned, applications were not classiﬁed as

malware. The SMS reader and the Telephone Num-

ber applications have been classiﬁed as generic threat

by the TrustLook antimalware, as shown in the Table

1, due to the fact that they have permission to access

messages and contact numbers, actions not allowed

by the antimalware. For this reason, a test was per-

formed, by submitting to VirusTotal an application

with an empty activity and the READ SMS permis-

sion (contained in both applications), and it was also

classiﬁed as generic threat by the TrustLook antimal-

ware.

5 RELATED WORK

Covert channels allow an hidden communication to

launch a colluding attack, in this regard in (Wang

et al., 2020) the authors have developed Multichan-

nel Communication System (MSYM), a mechanism

for the transmission of sensitive data in a mobile en-

vironment. Its operation is based on the use of the An-

droid VpnService interface, allowing the interception

of the data sent and split it in different parts that will

be disordered and encrypted across multiple transmis-

sion channels.

The authors in (Al-Haiqi et al., 2014) have de-

cided to exploit the accelerometer as a covert channel

and have developed a source and a sink application in

Android to demonstrate that through this sensor it is

https://www.virustotal.com/

possible to pass encrypted information between appli-

cations. Applications cannot directly generate or ma-

nipulate sensor data to transmit information, they can

only read sensor signals to obtain information about

the environment and user actions.

MAGNETO (Guri, 2020) is a secret communica-

tion proposal on air-gap systems and nearby smart-

phones based on the magnetic ﬁelds generated by the

CPU. This attack uses the magnetometer, which is the

magnetic sensor inside the devices used for orienta-

tion and positioning, to steal data from computers.

The generation of magnetic signals occurs as the CPU

workload changes.

The researchers in (Denney et al., 2018) propose

a method to create a covert channel starting from the

notiﬁcations shown on an Android device when we

receive e-mails or SMS messages. This covert chan-

nel uses Android Wearable notiﬁcations to send data

through applications sited on the same device or on

different devices. There are two applications: the ﬁrst

one creates the notiﬁcation that will be used as covert

channel, the second one reads the notiﬁcation and de-

termines the hidden message.

6 CONCLUSION AND FUTURE

WORK

The large amount of resources present in mobile de-

vices makes it possible to implement various types of

covert channels to initiate a hidden communication of

sensitive information. One of these is to use the ac-

celerometer data, modiﬁed through the vibration mo-

tor according to certain coding patterns.

The proposed covert channel proved capable of

transmitting data effectively and in a silent way. Such

a channel is particularly difﬁcult to detect, as it does

not establish any explicit communication between

colluding applications. This made it possible for ap-

plications to launch the attack, without being classi-

ﬁed as threats.

As future work we plan to extend the communica-

tion to other sensors of the device, so as to create new

Colluding Covert Channel for Malicious Information Exﬁltration in Android Environment

817

covert channels. Moreover, we will study techniques

aimed to detect this kind of communication.

As a matter of fact, we plan to apply formal meth-

ods for implementing an approach for identifying

these communications, so as to demonstrate how it

is possible to counter them. As a matter of fact, in

literature formal methods already demonstrated their

ability to detect malicious communication between

Android applications (Iadarola et al., 2020; Casolare

et al., 2020b).

ACKNOWLEDGEMENTS

This work has been partially supported by MIUR -

SecureOpenNets, EU SPARTA, CyberSANE and E-

CORRIDOR projects.

REFERENCES

Al-Haiqi, A., Ismail, M., and Nordin, R. (2014). A new

sensors-based covert channel on android. The Scien-

tiﬁc World Journal, 2014.

Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., San-

tone, A., and Visaggio, C. A. (2018). Leila: formal

tool for identifying mobile malicious behaviour. IEEE

Transactions on Software Engineering, 45(12):1230–

1252.

Casolare, R., Martinelli, F., Mercaldo, F., and Santone, A.

(2020a). Android collusion: Detecting malicious ap-

plications inter-communication through sharedprefer-

ences. Information, 11(6):304.

Casolare, R., Martinelli, F., Mercaldo, F., and Santone, A.

(2020b). Malicious collusion detection in mobile en-

vironment by means of model checking. In 2020

International Joint Conference on Neural Networks

(IJCNN), pages 1–6. IEEE.

Cimino, M. G., De Francesco, N., Mercaldo, F., San-

tone, A., and Vaglini, G. (2020). Model checking

for malicious family detection and phylogenetic anal-

ysis in mobile environment. Computers & Security,

90:101691.

Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., and

Visaggio, C. A. (2018). Talos: no more ransomware

victims with formal methods. International Journal of

Information Security, 17(6):719–738.

Denney, K., Uluagac, A. S., Aksu, H., and Akkaya, K.

(2018). An android-based covert channel framework

on wearables using status bar notiﬁcations. In Versa-

tile Cybersecurity, pages 1–17. Springer.

Enck, W. (2011). Defending users against smartphone apps:

Techniques and future directions. In International

Conference on Information Systems Security, pages

49–70. Springer.

Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-

G., Cox, L. P., Jung, J., McDaniel, P., and Sheth,

A. N. (2014). Taintdroid: an information-ﬂow track-

ing system for realtime privacy monitoring on smart-

phones. ACM Transactions on Computer Systems

(TOCS), 32(2):1–29.

Guri, M. (2020). Magneto: Covert channel between air-

gapped systems and nearby smartphones via cpu-

generated magnetic ﬁelds. Future Generation Com-

puter Systems.

Iadarola, G., Martinelli, F., Mercaldo, F., and Santone,

A. (2020). Call graph and model checking for ﬁne-

grained android malicious behaviour detection. Ap-

plied Sciences, 10(22):7975.

Mahboubi, A., Camtepe, S., and Morarji, H. (2017). A

study on formal methods to generalize heterogeneous

mobile malware propagation and their impacts. IEEE

Access, 5:27740–27756.

Marforio, C., Ritzdorf, H., Francillon, A., and Capkun, S.

(2012). Analysis of the communication between col-

luding applications on modern smartphones. In Pro-

ceedings of the 28th Annual Computer Security Appli-

cations Conference, pages 51–60.

Mercaldo, F., Nardone, V., Santone, A., and Visaggio,

C. A. (2016a). Hey malware, i can ﬁnd you! In

2016 IEEE 25th International Conference on En-

abling Technologies: Infrastructure for Collaborative

Enterprises (WETICE), pages 261–262. IEEE.

Mercaldo, F., Visaggio, C. A., Canfora, G., and Cimitile,

A. (2016b). Mobile malware detection in the real

world. In 2016 IEEE/ACM 38th International Confer-

ence on Software Engineering Companion (ICSE-C),

pages 744–746. IEEE.

Nguyen, T., Mcdonald, J., Glisson, W., and Andel, T.

(2020). Detecting repackaged android applications us-

ing perceptual hashing. In Proceedings of the 53rd

Hawaii International Conference on System Sciences.

Shrestha, P. L., Hempel, M., Rezaei, F., and Sharif, H.

(2015). A support vector machine-based frame-

work for detection of covert timing channels. IEEE

Transactions on Dependable and Secure Computing,

13(2):274–283.

Wang, W., Tian, D., Meng, W., Jia, X., Zhao, R., and

Ma, R. (2020). Msym: A multichannel communica-

tion system for android devices. Computer Networks,

168:107024.

ForSE 2021 - 5th International Workshop on FORmal methods for Security Engineering

818