Google's Bouncer Android-malware detection system isn't flawless, and two researchers have found ways to sneak malicious apps into the Google Play store by learning Bouncer's behavior and circumventing safeguards. In an effort to help rid the Google Play store (formerly the Android Market) of potentially harmful software, Google earlier this year rolled out a malware detection system it calls “Bouncer.” The automated Bouncer system basically scans all Android apps that are submitted to Google Play for obvious signs of mobile maleficence and removes or flags questionable downloads. Sounds good, right? Sure, but there’s one glaring problem. Bouncer is just a system, and as such, it can be examined for weaknesses and exploited. Two researchers from Duo Security have done just that. Duo’s Jon Oberheide and Dr. Charles Miller plan to detail their findings later this week at the SummerCon conference in New York City, but they’ve already described the success in sneaking past Google’s Bouncer in a blog post. The pair simply submitted a malicious app to Google Play, received a “connect-back shell” on the Bouncer infrastructure and then copied and explored its environment. From Duo Security: “We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment…[T]his is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device.” It’s certainly not surprising to see flaws identified in Google’s Bouncer for Android, and anyone with any sort of mobile security sense was probably skeptical of the system from the start—I know I was. But the Duo Security researchers are the first to demonstrate specific methods of deception, at least that I know of. Check out the video above for more specifics. AS Via DuoSecurity.com Related content brandpost Sponsored by Freshworks When your AI chatbots mess up AI ‘hallucinations’ present significant business risks, but new types of guardrails can keep them from doing serious damage By Paul Gillin Dec 08, 2023 4 mins Generative AI brandpost Sponsored by Dell New research: How IT leaders drive business benefits by accelerating device refresh strategies Security leaders have particular concerns that older devices are more vulnerable to increasingly sophisticated cyber attacks. By Laura McEwan Dec 08, 2023 3 mins Infrastructure Management case study Toyota transforms IT service desk with gen AI To help promote insourcing and quality control, Toyota Motor North America is leveraging generative AI for HR and IT service desk requests. By Thor Olavsrud Dec 08, 2023 7 mins Employee Experience Generative AI ICT Partners feature CSM certification: Costs, requirements, and all you need to know The Certified ScrumMaster (CSM) certification sets the standard for establishing Scrum theory, developing practical applications and rules, and leading teams and stakeholders through the development process. By Moira Alexander Dec 08, 2023 8 mins Certifications IT Skills Project Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe