In an effort to help rid the Google Play store (formerly the Android Market) of potentially harmful software, Google earlier this year rolled out a malware detection system it calls "Bouncer." The automated Bouncer system basically scans all Android apps that are submitted to Google Play for obvious signs of mobile maleficence and removes or flags questionable downloads.
Sounds good, right? Sure, but there's one glaring problem. Bouncer is just a system, and as such, it can be examined for weaknesses and exploited. Two researchers from Duo Security have done just that.
Duo's Jon Oberheide and Dr. Charles Miller plan to detail their findings later this week at the SummerCon conference in New York City, but they've already described the success in sneaking past Google's Bouncer in a blog post.
The pair simply submitted a malicious app to Google Play, received a "connect-back shell" on the Bouncer infrastructure and then copied and explored its environment.
From Duo Security:
"We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment…[T]his is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device."
It's certainly not surprising to see flaws identified in Google's Bouncer for Android, and anyone with any sort of mobile security sense was probably skeptical of the system from the start—I know I was. But the Duo Security researchers are the first to demonstrate specific methods of deception, at least that I know of. Check out the video above for more specifics.