Google's anti-malware Bouncer too tolerant
Security researchers from Trustwave's SpiderLabs have tested the tolerance level of Google's anti-malware Bouncer, its automated scanning component designed to prevent malicious Android apps from being published to the Google Play store. The researchers initially uploaded a benign app to the store and then gradually updated it with malicious routines over time. The result: Bouncer only kicked in once they pushed their experiment into high gear and dropped all pretence of subtlety. The researchers presented their findings at the Black Hat information security conference in Las Vegas.
Developed by Nicolas Percoco and Sean Sulte, the SMS Bloxor Android app claimed to simply filter and block incoming SMS messages, but it really only had a single purpose: to find the pain threshold of Google's Bouncer malware scanner. For their experiment, the researchers initially uploaded the app without any malicious routines. This allowed them to establish, for example, the IP range of the Bouncer's servers. They then equipped their app with the ability to execute malicious program components only if it was started outside of the Bouncer's IP range.
Once the researchers had succeeded in getting their app past the Bouncer this way, they began to test its limits. First, they removed the IP filter, which didn't catch the attention of the malware scanner: new app versions could be added to the Play Store without any problems. Google only blocked the developer account once the researchers configured the alleged SMS blocker in such a way that it sent the address book of the Bouncer's simulated HTC smartphone to an external server every second. 24 hours later, the app had disappeared from the store.
- Report: Android malware doubled in just one month, a report from The H.
- Google's Bouncer malware scanner for Android pwned, a report from The H.
- Google's Bouncer scans the Android Market for Malware, a report from The H.
(Uli Ries / crve)