Researchers fool Google’s Android malware Bouncer by “fingerprinting” it

by: Gary SimsJune 6, 2012
6 29 2

In February of this year, Google revealed some details of a new malware scanner which it had been developing during the latter half of 2011. Dubbed “the Bouncer”, the automated service runs each app submitted to Google Play to see if it has any malicious intentions. According to Google’s initial figures, the Bouncer has been responsible for a 40% drop in malicious apps available in Google Play.

However, this week security researchers Jon Oberheide and Charlie Miller will present a new method they have developed which allows them to bypass the Bouncer and successfully submit malware to Google Play.

As with real world spies and secret agents, the key to remaining undiscovered is to remain covert, especially when someone is watching you. For malware the idea is exactly the same – like Morpheus shutting down the Nebuchadnezzar when a Sentinel is near, malware that becomes dormant when it is being scanned will go undetected.

The question for malware is how to detect that it is being scanned or watched. The key, according to Miller and Oberheide, is that Google’s Bouncer is in fact a virtual machine that runs the app under scrutiny. If the malware can detect that it is running in the virtual machine it can lay low. For Google, the trick is to convince the malware that it is not running in a simulated environment. According to the researchers, though, every virtual machine exhibits signs that it is not a real-world Android device.

The pair say they managed to submit a spy app to Google Play that let them monitor the Bouncer simulated environment. What they discovered, among other things, was that every instance of Google’s simulated Android device is registered to the same account, [email protected]

They also discovered that the Bouncer tries to bait malware into stealing photos or contacts on the phone. If either of the two photos Cat.jpg and Ladygaga.jpg are transmitted then the malware has been found out!

There are a thousand different ways to very accurately and sustainably fingerprint Bouncer,” says Oberheide. “Some are really hard to fix. Some can be fixed pretty easily. But in the long term game, the attackers have a major advantage.

As a proof of concept, the pair submitted an app to Google Play called HelloNeon that is able to download new malicious code once it is installed on a user’s Android tablet or phone. The app successfully passed Bouncer’s scan and became available for download.

Miller and Oberheide have spoken to Google’s security team about their findings and it is likely Google will make changes to the characteristics of the Bouncer virtual machine before the pair present their methods at the conference.

  • shvelo

    Google just sucks! Android is awesome but Google is stupid, they don’t even try the f’king apps before putting them on their f’king junk market

    • Melad360

      i smell apple fanboy. . .

      • shvelo

        I’m an Android fanboy but I hate Google Play, it’s filled with crap, and is nazi , because it has country limitation on many apps. BTW I hate Apple, it;s a fucking patent troll

    • AppleFUD

      someone’s butt hurt

  • @shvelo,

    But if Android is awesome and Google wrote Android doesn’t that mean that Google is awesome???

    But seriously, one of the key differences between Apple and Google is that Google does not “curate” its store to the same level that Apple does. The average app takes 7 days to appear in Apple’s store, but just a few hours for Google…

    Do you think Google should have a stronger policy on this??? Anyone???


    • If the Bouncer is so easy to fool, it’s a joke. Really, it’s designed to run the app for precisely five minutes. So, if malware is set to kick in at 5 minutes 1 sec, it will pass the test with flying colors. I think that the Bouncer was good enough when it launched, but now Google should really step it up.

    • AppleFUD

      Yes, I do think Google should have a bit stronger policy on “curating” their app market. Not to the extent that apple has gone.

      The one major suggestion I would advise Google of, and I know some devs (most the ‘bad’ devs) will dislike it is, a more strict process in signing up for an account — maybe even close to the level RIM goes to ensure that they know who the person is creating an account so they have a way to track them down when they do malicious things. Security for an app store starts with knowing you have trustworthy developers. . . not just anyone who want to throw up an app.

      However, this story is a perfect example of why Google’s approach is still better than apple’s even at their current level. Apple would simply ban these security researchers which in the long run would do nothing to ensure that the platform is more secure. Google will most likely pay them lol . . . and find a way to make their security better.