Researchers beat Google’s Bouncer
When earlier this year Google introduced Bouncer – an automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device – it shared practically nothing about how it operates, in the hopes of making malicious app developers’ scramble for a while to discover how to bypass it.
As it turned out, several months later security researchers Jon Oberheide and Charlie Miller discovered – among other things – just what kind of virtual environment Bouncer uses (the QEMU processor emulator) and that all requests coming from Google came from a specific IP block, and made an app that was instructed to behave as a legitimate one every time it detected this specific virtual environment.
Now two more researchers have effectively proved that Bouncer can be rather easily fooled into considering a malicious app harmless.
During a presentation at Black Hat, Trustwave’s Nicholas Percoco and Sean Schulte explained that they had created “SMS Blocker,” which appeared to be like any other SMS blocker app on the market, but was also capable of harvest information such as contacts, SMS messages, photos; launching DoS attacks; and even force a web page to load.
And yet, Bouncer repeatedly failed to flag it as malicious.
According to SC Magazine, they managed to do this by using a JavaScript bridge – a legitimate workaround used by the likes of Facebook and LinkedIn – which allows developers to remotely add new features to apps already accepted on Google Play and to modify how the file looks, all without going through the approval or update process again.
They also unearthed Bouncer’s IP address, so every time the app was hailed and executed by it, it would behave as a legitimate, harmless app.
Time and time again, the researchers added new malicious capabilities to the app, and time and time again, Bouncer would fail to notice the fact.
That went on for two weeks. And only when the team tweaked the app to execute every second did Bouncer notice it and suspend the developer account, Percoco shared with the audience.
He pointed out that everything they did is legitimate and allowed by Google from a developer standpoint, and that this was an oversight in the security they’re applying to applications being approved.
During the time “SMS Blocker” was available on the online market, it sported a prohibitively high price in order not to be downloaded by regular customers.
Google has been apprised of the results of the research so that it can make changes and better secure Google Play and its users against malicious individuals.