Anti-plugin : don ’ t let your app play as an android plugin

The Android plugin technology is an innovative applicationlevel virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, such as log in two Twitter accounts for the personal and business simultaneously. The most popular app powered by this technology, Parallel Space, has been installed 50 million times in Google Play. However, as we know, it never takes malware authors long to catch on to new mobile trends. In the wild, by applying the plugin technology, a newly discovered Android malware “Dual-instance” dynamically loads and launches the original Twitter app’s APK file within itself and also hijacks user’s inputs (e.g. password) to launch the phishing attack. Besides, after we have comprehensively analyzed security risks of the Android plugin technology, we find that the data stored by the plugin app can be stolen by the malicious host app or other plugin apps. In our Wildfire product, we have captured 119, 898 samples using the Android plugin technology, among which 114, 630 samples are malicious or grey. Thus, the Android plugin technology is becoming a new security threat to normal Android apps. Our proposal demystifies the Android plugin technology in depth, explains the underlying attack vector and investigates fundamental security problems. We propose a lightweight defense mechanism and release a library, named PluginKiller, which prevents an Android app from being launched by the host app using the Android plugin technology. Once a benign Android app embeds the library, the app can detect the potential threats from virtual environment and terminates itself when it is launched.