The Google Play Store's "Bouncer," which Google launched back in February to protect Android users from malicious apps, is a service that scans potential Play Store apps by running them in a virtual phone environment, where the app's activities are monitored for any signs of mal-intent.

Taking advantage of that test period, security researchers Charlie Miller and Jon Oberheide have evidently found ways past Bouncer (which they will be presenting at the Summercon conference in New York this week). Their method, in short, allows an app to "know" that it is being run in a virtual environment, meaning malicious apps could conceivably resist carrying out malicious activities until they are running on a real system.

According to Oberheide, while Bouncer's functionality should mimic a real system, "a lot of tricks can be played by malware to learn that it's being monitored."

As you can see from the video above, Oberheide and Miller's strategy involved submitting a test application to the Play Store that gives them remote access to a target device. This allows them to "go inside" Bouncer, cataloguing any fingerprints that would allow other malware to know when it is running in the test environment.

In their research, Miller and Oberheide discovered that Bouncer's test phone is registered with [email protected], that its only listed contact is [email protected], and that bouncer has two photos: Cat.jpg and Ladygaga.jpg. There are also hints that the phone in question is running on QEMU, and that its IP address belongs to Google.

Oberheide has indicated that he and Miller have already spoken to Google about their findings, and that Google may already be implementing changes to Bouncer in an effort to keep malicious apps from evading the scan and making it to the Play Store. Oberheide suggested that, while Bouncer could be improved (by, for example, running apps on physical devices rather than virtual ones), it is likely that malware could still slip through.

While Oberheide and Miller aren't the first to game Google's Bouncer system, their research is an important step in understanding its flaws and, hopefully, keeping Android users as safe as possible as both security and malware continue to develop.

Source: Duo Security

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • http://www.androidpolice.com/ Artem Russakovskii

    Absolutely fascinating research. It's so surreal to be communicating to a remote agent running right within Google's own base.

    • ProductFRED

      Yeah, for lack of a more intellectual description, this is pretty awesome.

  • http://jordanhotmann.com/ Jordan Hotmann

    It would be awesome to have this job...all the fun of being a hacker but working for the good guys.

    • Deltaechoe

       It's called IT/Sec, plenty of jobs around and college level programs are starting to pop up too.  This is a field that is pretty untapped at the moment

  • guyfromtrinidad

    I look at this story and say fascinating research, this malware thing is not easy but requires constant updating and improvement, but I still love the Android OS. The majority of other tech sites however will pick this up and say "NEW ANDROID MALWARE ELUDES BOUNCER" "ANDROID BAD!!!" 

  • GazaIan

    Oh yay, a way to increase malware on Android

  • GazaIan

    Oh yay, a way to increase malware on Android

    • http://www.androidpolice.com/ Artem Russakovskii

      You're looking at it the wrong way. Research like this will only potentially make things worse in the short term, but is very important and positive in the long term. It will force Google to make improvements to the bouncer.

      Malware writers are smart, but they don't publish their findings, so the more people who responsibly disclose and publish security research do it, the better off we'll all be in the long run.