Skip to main content

Google's Bouncer malware tool hacked

Google's malware blocker Bouncer has been hacked by security analysts Jon Oberheide and Charlie Miller, who claim that their workaround will allow malicious malware to access apps even with a Bouncer scan.

Bouncer, announced in February, automatically scans new and existing apps, as well as developer accounts, searching for malware, spyware and trojans. It also looks for indications that an app might be misbehaving, and compares it to other applications to detect red flags.

Oberheide and Miller, however, claim to have cracked the Bouncer scan. They submitted an app to the Android Market, now Google Play, and waited for Bouncer to do its job. "This allows us to explore the Bouncer environment with an interactive remote shell," Oberheide said during a recent presentation at the SummerCon conference, a transcript of which is available on the duo's blog.

They uploaded a malicious APK to the Android Market via a fake Android account and received a callback that allowed them to set up a "remote interactive shell running on the emulated Android device hosted by Bouncer." They could then "poke around" the system via the shell, and ultimately fingerprint the Bouncer environment and add malicious apps to Google Play.

"We've been in touch with the Android security team and will be working with them to address some of the problems we've discovered," said Oberheide, who is also CTO at Duo Security. "While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we're confident that Google will continue to improve and evolve its capabilities."

Google did not immediately respond to a request for comment.

When Google unveiled Bouncer, Hiroshi Lockheimer, Android vice president of engineering, admitted that no security approach is foolproof. "Added scrutiny can often lead to important improvements," he said at the time.

Between the first and second halves of 2011, Google reported a 40 percent decrease in the number of potentially malicious downloads from the Android Market, just as anti-malware and software security companies were chronicling a rise in malicious applications.

At the same time, Juniper Networks recorded a 472 percent jump in Android Market malware between July and November 2011.

Apple's strict app approval process ensures that iTunes-sold applications are free of explicit and offensive material, according to the company's website. While Google's process may offer more freedom to developers, it also leaves the market open to malware and other issues.