Google's Bouncer malware scanner for Android pwned

Jon Oberheide and Charlie Miller have apparently managed to capture Google's Bouncer, which is designed to examine Android apps for potentially malicious functions. In a presentation at the end of the week, they plan to explain how they smuggled software with malicious functions past Google's tests and onto the Google Play app market.

Since 2011, Google has combed through its own app store for potentially malicious programs by executing and observing the apps in a virtual environment. The video, which has already been posted, shows an app opening a connection to the two researchers, while running in the virtual Bouncer environment, and providing them with a Linux command-line shell. They can then move freely within the virtual machine, observing, for example, that it uses QEMU. A trojan could also determine this – say, by noting the existence of the /sys/qemu_trace directory – and then be on its best behaviour.

Jon Oberheide demonstrates an interactive shell in the Bouncer VM.

This is intended to advertise their presentation later this week at Summercon in New York. The experts want to show how fraudsters can get malicious software into Google Play without worrying about being discovered by Bouncer. Of course, it's hardly surprising that there are ways of getting around automatic app testing in virtual machines. Windows trojans often specifically look for signs of VMware or other virtualisation techniques and then play dead to make an analysis more difficult. In fact, anti-virus software companies recently realised that they have had samples of the Flame superspy in their software pools for years, but it never triggered their test programs.

(djwm)