Google Bouncer Vulnerabilities Probed by Security Researchers

A pair of security professionals submitted malicious apps to Google's Android app store to test Bouncer for vulnerabilities. The program doesn't grab users' details, but probes Bouncer for weaknesses.

By: Robert Lemos

New details of security issues related to Google's Bouncer, the company's system for catching malicious applications before they are published in the Android marketplace, will be presented during a conference the weekend of June 9 by two researchers who used their own submissions to probe the service from the inside.

The researchers, Jon Oberheide of Duo Security and Charlie Miller of Accuvant, designed a digital Trojan horse, a program that waits until it is run by Google's security service and then works to discover information about the service. By probing from the inside, the program discovered technical details of the system, the configuration of the virtual phone that Google uses to test every Android program, and some of the malicious behavior that the system detects.

The experiment basically allowed the researchers to put on the hats of malicious attackers, who regularly add code to malicious programs to detect virtual environments-often a sign that a security analyst is attempting to reverse-engineer an attack, said Oberheide, who is the chief technology officer for two-factor authentication firm Duo Security.

"If you can successfully detect that your app is running insider Bouncer, then you can wait to perform any malicious activity, and the app will make it through the submission process," said Oberheide.

Google announced earlier this year that it would do more to secure the Android Marketplace and pinpoint malicious behavior. The service, called Bouncer, is an attempt by Google to quash the growing incidence of malware on the primary marketplace for the Android platform, now known as Google Play. The system has been running for more than a year, over which the incidence of malware downloaded by Android users has decreased 40 percent, the company says.

"While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from the Android Market-and we know the rate is declining significantly," Google stated in its February announcement.

The researchers identified the platform on which Google runs its virtual phones and found that the company typically runs applications for five minutes in each virtual instance, which is longer than the one minute running time on most virus-analysis platforms.

Each virtual device instantiated by Google's Bouncer has the same fake owner profile and only a single contact in the address book. There are a number of interesting little quirks as well, such as a picture of Lady Gaga and another of a cat on the virtual Secure Digital (SD) card as well as a file named password.txt. All three appear to be tripwires-pieces of data that, if copied or modified, will alert the system that something is wrong.

"I definitely tried to copy cat.jpg, but as soon as you touch it, you lose your shell," said Oberheide, referring to the command terminal, or shell, with which he could send commands to the program running inside Google's Bouncer.

The researchers notified Google of their research and are currently discussing it with the firm, said Oberheide. They plan to present the research at the SummerCon conference in New York City.