Mobile security experts demonstrate how they were able to “fingerprint” Bouncer to sneak malicious apps onto the Android market.
Mobile security researchers say they have identified flaws in Google’s system to keep malware off Google Play.
Duo Security’s Jon Oberheide and Charlie Miller say they exploited weaknesses in Google’s Bouncer service to sneak malicious apps on to the Android market. Oberheide demonstrated in a video presentation (see below) how he submitted a fake app and used a remote shell it got access to when Bouncer attempted to analyze the app. That access allowed the pair to “look for interesting attributes of the Bouncer environment, such as the version of the kernel it’s running, the contents of the file system, or information about some of the devices emulated by the Bouncer environment,” he said.
“This is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device,” Oberheide said in the video, which was released today ahead of a planned presentation later this week at the SummerCon conference.
Introduced in February, Bouncer is an automated process that scans apps for known malware, spyware, and Trojans, and looks for suspicious behaviors and compares them against previously analyzed apps. If malicious code or behavior is detected, the app is flagged for manual confirmation that it is malware.
Unlike Apple, which vets every iPhone app before it hits the iTunes Marketplace, Google does not require pre-approval for Android apps. Instead, it does the screening of the apps behind the scenes when the developers upload them to the Android Market.
However, “while Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities,” Oberheide wrote in a companion blog post. “We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.”
CNET has contacted Google for comment and will update this report when we learn more.
