Researchers point out ways to circumvent Google's Bouncer (w/ Video)

Jun 07, 2012 by Bob Yirka report

(Phys.org) -- Back in February, Google announced that it had added a security program called Bouncer to its Android Market, a site similar to Apple’s iTunes, that would test applications that had been uploaded to the site, in an attempt to keep out those that contain malware. In the announcement, Google also said that Bouncer had been running for several months and that because of it, apps with malware uploaded to Android Market, which is now called Google Play, were down forty percent. Unfortunately, if that number is correct, it’s likely to change soon as two security analysts, Charlie Miller and Jon Oberheide have not only found some very serious security problems with Bouncer, but have created a video and posted it on YouTube showing exactly how to take advantage of the lapse.

This video is not supported by your browser at this time.

Miller and Oberheide explain that the way Bouncer works is by creating a virtual phone environment every time an is uploaded to Play. It’s in that environment that Bouncer runs and tests the app in various ways to see if it can detect the presence of any malware. Unfortunately, as the two found, Bouncer only tests for five minutes. Any app that waits till after that time period has lapsed to carry out its nefarious functions will get a clean bill of health.

The duo discovered this flaw in Bouncer by creating an app that automatically connects to a server under their control, which allowed them to run Linux commands on an Android phone. Then, they created a false Google Play developer account and uploaded the app. Once it ran in the simulator, they were able to execute commands to find out how Bouncer worked and then to use that information to find weaknesses.

In so doing, they also found that Google had created just a single fake user account, email address, and two photo images to use for its testing purposes. If an app with malware tried to touch any of those, it was “bounced.” Unfortunately, using such a limited set of test information allows those working to subvert the system an easy means of identifying if they are running in a simulation or on a real phone. If it’s the simulation, then they can just do nothing so they won’t be detected.

The two researchers say there are other security holes they’ve discovered as well and have been in contact with Google to let them know what they’ve found and will be outlining their findings at this week’s SummerCon conference in New York.

Explore further: Microsoft CEO is driving data-culture mindset

Related Stories

Shoplifters hit up Chrome Store for Facebook data

Mar 28, 2012

(PhysOrg.com) -- A cash-for-Facebook’s-“likes” hustle hanging out in Google Chrome Web Store has been discovered by Kaspersky Lab. The researchers first discovered extensions leading to the ...

Android mug shots have no lock and key

Mar 04, 2012

(PhysOrg.com) -- If Google loyalists will persist that this Internet Goliath can do no evil, they at least need to admit, based on new evidence this week, that Google can do a lot of mindless harm. A security ...

Android users get malware with their apps

Mar 02, 2011

(PhysOrg.com) -- As new platforms make their way into the market there will always someone who is looking to exploit them for illegal or unethical ends. More proof of that fact has come today when Google was ...

Google announces Floor Plan app for venue owners

Apr 08, 2012

(Phys.org) -- This week the team from Google Maps launched its Floor Plan Marker for Android in a bid to improve the accuracy if its indoor maps. Inside and outside Google, developers have seen real opportunity ...

Recommended for you

Hackathon team's GoogolPlex gives Siri extra powers

6 hours ago

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Microsoft CEO is driving data-culture mindset

Apr 16, 2014

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Hackathon team's GoogolPlex gives Siri extra powers

(Phys.org) —Four freshmen at the University of Pennsylvania have taken Apple's personal assistant Siri to behave as a graduate-level executive assistant which, when asked, is capable of adjusting the temperature ...

Better thermal-imaging lens from waste sulfur

Sulfur left over from refining fossil fuels can be transformed into cheap, lightweight, plastic lenses for infrared devices, including night-vision goggles, a University of Arizona-led international team ...