Malicious third-party libraries have become a major source of security risks to the Android software supply chain. A recent study shows that a malicious library could harvest data from other libraries hosted in the same app via unauthorized access to the libraries’ APIs. However, it remains unexplored whether third-party libraries could still pose a threat to the other libraries after their code and runtime behaviors have been thoroughly vetted for security.

A third-party Android library typically contains diverse resources to support its operations. These resources, together with the other libraries’ resources, are managed by the Android resource compiler (ARC) in the app build process. ARC needs to mediate the resources in cases where multiple libraries have duplicate or incompatible resources.

In this paper, we report a new attack surface on the Android app supply chain: duplicate resource mismediation (Duress). This attack surface opens an opportunity for attackers to contaminate the security- and privacy-sensitive resources of a victim library with a carefully crafted malicious library, by exploiting the intrinsic flaws in the duplicate resource mediation process of ARC. With the attack, an attacker can stealthily mislead the victim library and its users to expose sensitive data, and lower down the security protections of the victim library. Further, we conduct the first systematic study to measure the security impacts of Duress risks. Our study has brought to light the pervasiveness of the Duress risks in third-party libraries: our analysis of over 23K libraries discovered that 18.4% libraries are exposed to the Duress threat, and 25.7% of them have sensitive resources that duplicate resources of other libraries in the wild (causing integration risks). We also identified the presence of real-world attacks in over 400 apps. We made responsible disclosure of Duress risks to Google, and the developers of affected apps. To mitigate the risks, we discuss a lightweight and compile-time mitigation to prevent a malicious library from contaminating the sensitive resources of other libraries using resource isolation.

Major contributions