Google’s Android platform has become the commonest mobile OS both amongst consumers and malware authors, and the company before this year presented the Bouncer scheme to search for malevolent apps in the Google Play market. Bouncer, which watches for malicious apps and recognized malware, is a good beginning step, but as Modern work from researchers Jon Oberheide and Charlie Miller demonstrates, it can be bypassed rather easily and in manners that will be difficult for Google to address in the long-run.
“The problem that Bouncer faces is very similar to the problems that normal antivirus analysts face. Malware will fingerprint the system it’s on to see whether it’s running in a virtualized environment or in an emulator,” Oberheide said. “Bouncer was designed by people I know really well,
and I wanted to see ow they’d design a system. It was a total black-box approach for us, to
The researchers have spoke with Google about the general scheme of their findings and Oberheide stated he anticipates the company to answer, but that the greater problem with Bouncer will be hard to solve.see how much we could learn by submitting apps and poking around.”
By looking at the traffic coming to the command-and-control host that they assembled, the researchers were capable of seeing all of the requests that were coming from one Google IP address block, something that would comprise easily identified by an aggressor. Google could alter that IP block, Oberheide alleged, but then the company would require to get IP space from a assortment of suppliers and send traffic through those IP blocks.
Oberheide developed a video that presents the fake app he and Miller developed calling back and answering to commands from inside the Bouncer environment.