Google's Bouncer Android-malware detection system isn't flawless, and two researchers have found ways to sneak malicious apps into the Google Play store by learning Bouncer's behavior and circumventing safeguards.
By Al Sacco
Managing Editor, CIO
In an effort to help rid the Google Play store (formerly the Android Market) of potentially harmful software, Google earlier this year rolled out a malware detection system it calls “Bouncer.” The automated Bouncer system basically scans all Android apps that are submitted to Google Play for obvious signs of mobile maleficence and removes or flags questionable downloads.
Sounds good, right? Sure, but there’s one glaring problem. Bouncer is just a system, and as such, it can be examined for weaknesses and exploited. Two researchers from Duo Security have done just that.
Duo’s Jon Oberheide and Dr. Charles Miller plan to detail their findings later this week at the SummerCon conference in New York City, but they’ve already described the success in sneaking past Google’s Bouncer in a blog post.
The pair simply submitted a malicious app to Google Play, received a “connect-back shell” on the Bouncer infrastructure and then copied and explored its environment.
From Duo Security:
“We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment…[T]his is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device.”
It’s certainly not surprising to see flaws identified in Google’s Bouncer for Android, and anyone with any sort of mobile security sense was probably skeptical of the system from the start—I know I was. But the Duo Security researchers are the first to demonstrate specific methods of deception, at least that I know of. Check out the video above for more specifics.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.