Researchers Sidestep Bouncer Security, Plant Malware in Google Play

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Duo Security researchers Jon Oberheide and Charlie Miller recently demonstrated a method of outwitting Google's Bouncer security solution in order to plant malware in the official Google Play store. The pair will present their findings later this week at the SummerCon conference in Brooklyn.

"In a video demonstration, they show how one of their techniques gives them a remote connection to an emulated Android device hosted by Bouncer," writes Ars Technica's Dan Goodin. "By feeding it commands to display files and reveal system attributes, the researchers were able to divulge information about the way the system works."

"The video ... shows an app opening a connection to the two researchers, while running in the virtual Bouncer environment, and providing them with a Linux command-line shell," The H Security reports. "They can then move freely within the virtual machine, observing, for example, that it uses QEMU. A Trojan could also determine this -- say, by noting the existence of the /sys/qemu_trace directory -- and then be on its best behaviour."

"Oberheide suggests one way Bouncer could better safeguard Android would be to run its scans on real, physical phones rather than simulated ones," writes Forbes' Andy Greenberg. "But even then, he says, malware could still outgame the scanner. In its current form, for instance, the program only tests apps for five minutes. A program that waits six minutes before beginning its mischief wouldn’t be detected, Oberheide says."

"The researchers have talked with Google about the general outline of their findings and Oberheide said he expects the company to respond, but that the larger problem with Bouncer will be difficult to solve," writes Threatpost's Dennis Fisher. "'These issues are non-trivial to fix. They can knock off a few of the easier ones, but it's a long-term problem,' he said."