Duo Security Sends A Trojan Horse Inside Google's Bouncer, Explores And Fingerprints Its Guts

Android Police

By Liam Spradlin

Published Jun 4, 2012

The Google Play Store's "Bouncer," which Google launched back in February to protect Android users from malicious apps, is a service that scans potential Play Store apps by running them in a virtual phone environment, where the app's activities are monitored for any signs of mal-intent.

Taking advantage of that test period, security researchers Charlie Miller and Jon Oberheide have evidently found ways past Bouncer (which they will be presenting at the Summercon conference in New York this week). Their method, in short, allows an app to "know" that it is being run in a virtual environment, meaning malicious apps could conceivably resist carrying out malicious activities until they are running on a real system.

According to Oberheide, while Bouncer's functionality should mimic a real system, "a lot of tricks can be played by malware to learn that it's being monitored."

[EMBED_YT]https://youtu.be/pQOU5ahJe8c

[/EMBED_YT]

As you can see from the video above, Oberheide and Miller's strategy involved submitting a test application to the Play Store that gives them remote access to a target device. This allows them to "go inside" Bouncer, cataloguing any fingerprints that would allow other malware to know when it is running in the test environment.

In their research, Miller and Oberheide discovered that Bouncer's test phone is registered with Miles.Karlson@gmail.com, that its only listed contact is Michelle.k.levin@gmail.com, and that bouncer has two photos: Cat.jpg and Ladygaga.jpg. There are also hints that the phone in question is running on QEMU, and that its IP address belongs to Google.

Oberheide has indicated that he and Miller have already spoken to Google about their findings, and that Google may already be implementing changes to Bouncer in an effort to keep malicious apps from evading the scan and making it to the Play Store. Oberheide suggested that, while Bouncer could be improved (by, for example, running apps on physical devices rather than virtual ones), it is likely that malware could still slip through.

While Oberheide and Miller aren't the first to game Google's Bouncer system, their research is an important step in understanding its flaws and, hopefully, keeping Android users as safe as possible as both security and malware continue to develop.

Source: Duo Security