You might want to think twice about that Android app you’re about to
download. Even if Google’s built-in malware scanner gave it a green
light, there’s still a chance it could be a fake.
Google was applauded earlier this year for launching “Bouncer,”
a scanning service designed to identify malicious apps in its Play
Market (formerly known as the Android Market) before Android users
mistakenly download them. But, according to two notable security
researchers, the tech giant’s bodyguard feature can be easily tricked.
At this week’s SummerCon conference in New York, Charlie Miller and Jon
Oberheide will demonstrate the specifics of how Google Bouncer tests
potentially harmful apps, and how they were able to exploit their
newfound knowledge to sneak an app right past the doorman.
Google’s Bouncer service tests apps it deems hazardous in a “virtualized environment,” Andy Greenberg from Forbes reported.
Rather than testing the sketchy software on an actual device, Google
creates a simulated phone. But this, Greenberg said, is where the cracks
start to form.
“If malware can be designed to detect that it’s running on that
simulated gadget rather than the real thing, it can temporarily suppress
its evil urges, pass Google’s test and make its way onto a real phone
before wreaking havoc,” he wrote.
To press the bouncer-nightclub metaphor, Miller and Oberheide found out
a way to get a weapon-wielding minor in a bar by making him look,
temporarily, like a sweet old lady.
Miller and Oberheide took advantage of the simulated malware testing
environment by submitting a testing app to the Play Market that gave
them remote access to a device in order to analyze Bouncer’s scans. What
they found, Greenberg said, is that every virtualized Android device
used by Bouncer is registered to the same account,
Miles.Karlson@gmail.com, and, to pose as a real phone user, contains
just one contact, Michelle.firstname.lastname@example.org.
“The question for Google is, how do you make it so the malware doesn’t
know it’s running in a simulated environment,” Oberheide told Forbes.
“You want to pretend you’re running a real system. But a lot of tricks
can be played by malware to learn that it’s being monitored.”
To poke holes in Google’s facade, the researchers crafted a malicious Android app called HelloNeon to the Play Market June 3. The app made it through Bouncer’s scan untouched.
Google did not immediately return a request for comment from SecurityNewsDaily.
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.