In February of this year, Google revealed some details of a new malware scanner which it had been developing during the latter half of 2011. Dubbed “the Bouncer”, the automated service runs each app submitted to Google Play to see if it has any malicious intentions. According to Google’s initial figures, the Bouncer has been responsible for a 40% drop in malicious apps available in Google Play.
However, this week security researchers Jon Oberheide and Charlie Miller will present a new method they have developed which allows them to bypass the Bouncer and successfully submit malware to Google Play.
As with real world spies and secret agents, the key to remaining undiscovered is to remain covert, especially when someone is watching you. For malware the idea is exactly the same – like Morpheus shutting down the Nebuchadnezzar when a Sentinel is near, malware that becomes dormant when it is being scanned will go undetected.
The question for malware is how to detect that it is being scanned or watched. The key, according to Miller and Oberheide, is that Google’s Bouncer is in fact a virtual machine that runs the app under scrutiny. If the malware can detect that it is running in the virtual machine it can lay low. For Google, the trick is to convince the malware that it is not running in a simulated environment. According to the researchers, though, every virtual machine exhibits signs that it is not a real-world Android device.
The pair say they managed to submit a spy app to Google Play that let them monitor the Bouncer simulated environment. What they discovered, among other things, was that every instance of Google’s simulated Android device is registered to the same account, Miles.Karlson@gmail.com.
They also discovered that the Bouncer tries to bait malware into stealing photos or contacts on the phone. If either of the two photos Cat.jpg and Ladygaga.jpg are transmitted then the malware has been found out!
“There are a thousand different ways to very accurately and sustainably fingerprint Bouncer,” says Oberheide. “Some are really hard to fix. Some can be fixed pretty easily. But in the long term game, the attackers have a major advantage.”
As a proof of concept, the pair submitted an app to Google Play called HelloNeon that is able to download new malicious code once it is installed on a user’s Android tablet or phone. The app successfully passed Bouncer’s scan and became available for download.
Miller and Oberheide have spoken to Google’s security team about their findings and it is likely Google will make changes to the characteristics of the Bouncer virtual machine before the pair present their methods at the conference.