In association with heise online

27 July 2012, 15:35

Google's anti-malware Bouncer too tolerant

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Android icon Security researchers from Trustwave's SpiderLabs have tested the tolerance level of Google's anti-malware Bouncer, its automated scanning component designed to prevent malicious Android apps from being published to the Google Play store. The researchers initially uploaded a benign app to the store and then gradually updated it with malicious routines over time. The result: Bouncer only kicked in once they pushed their experiment into high gear and dropped all pretence of subtlety. The researchers presented their findings at the Black Hat information security conference in Las Vegas.

Developed by Nicolas Percoco and Sean Sulte, the SMS Bloxor Android app claimed to simply filter and block incoming SMS messages, but it really only had a single purpose: to find the pain threshold of Google's Bouncer malware scanner. For their experiment, the researchers initially uploaded the app without any malicious routines. This allowed them to establish, for example, the IP range of the Bouncer's servers. They then equipped their app with the ability to execute malicious program components only if it was started outside of the Bouncer's IP range.

Once the researchers had succeeded in getting their app past the Bouncer this way, they began to test its limits. First, they removed the IP filter, which didn't catch the attention of the malware scanner: new app versions could be added to the Play Store without any problems. Google only blocked the developer account once the researchers configured the alleged SMS blocker in such a way that it sent the address book of the Bouncer's simulated HTC smartphone to an external server every second. 24 hours later, the app had disappeared from the store.

To add the malicious program components, the developers used a technique that is also used by Facebook and Netflix apps: they uploaded the required features via Android's custom JavaScript bridge after the app had been installed on the prospective user's device. This can be done at runtime without updating the entire application. To prevent unwitting Android users from downloading the malicious app, Sulte and Percoco listed it at the prohibitively expensive price of $50.

See also:

(Uli Ries / crve)

Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit