IE 11 is not supported. For an optimal experience visit our site on another browser.

Google Can't 'Bounce' All Bad Android Apps

You might want to think twice about that Android app you're about to download. Even if Google's built-in malware scanner gave it a green light, there's still a chance it could be a fake.
/ Source: SecurityNewsDaily

You might want to think twice about that Android app you're about to download. Even if Google's built-in malware scanner gave it a green light, there's still a chance it could be a fake.

Google was applauded earlier this year for launching " Bouncer," a scanning service designed to identify malicious apps in its Play Market (formerly known as the Android Market) before Android users mistakenly download them. But, according to two notable security researchers, the tech giant's bodyguard feature can be easily tricked.

At this week's SummerCon conference in New York, Charlie Miller and Jon Oberheide will demonstrate the specifics of how Google Bouncer tests potentially harmful apps, and how they were able to exploit their newfound knowledge to sneak an app right past the doorman.

Google's Bouncer service tests apps it deems hazardous in a "virtualized environment," Andy Greenberg from Forbes reported. Rather than testing the sketchy software on an actual device, Google creates a simulated phone. But this, Greenberg said, is where the cracks start to form.

"If malware can be designed to detect that it's running on that simulated gadget rather than the real thing, it can temporarily suppress its evil urges, pass Google's test and make its way onto a real phone before wreaking havoc," he wrote.

To press the bouncer-nightclub metaphor, Miller and Oberheide found out a way to get a weapon-wielding minor in a bar by making him look, temporarily, like a sweet old lady.

Miller and Oberheide took advantage of the simulated malware testing environment by submitting a testing app to the Play Market that gave them remote access to a device in order to analyze Bouncer's scans. What they found, Greenberg said, is that every virtualized Android device used by Bouncer is registered to the same account, Miles.Karlson@gmail.com, and, to pose as a real phone user, contains just one contact, Michelle.k.levin@gmail.com

"The question for Google is, how do you make it so the malware doesn't know it's running in a simulated environment," Oberheide told Forbes. "You want to pretend you're running a real system. But a lot of tricks can be played by malware to learn that it's being monitored."

To poke holes in Google's facade, the researchers crafted a  malicious Android app  called HelloNeon to the Play Market last night (June 3). The app made it through Bouncer's scan untouched.

Google did not immediately return a request for comment from SecurityNewsDaily.