June 4, 2012 | by Andrew Kameka
Summer has been quiet, so it looks like it’s time for the first Android scare of the season. This time, there’s actually a little bit of bite to the bark of researchers who have discovered a potential security vulnerability in Bouncer, Google’s anti-malware system that scans every app uploaded to Google Play to ensure that it doesn’t have malicious code.
The potential problem with Bouncer, according to Duo Security team Jon Oberheide and Charlie Miller, is that it telegraphs its moves. Miller and Oberheide uploaded an app to Google Play that put the attention back on Bouncer and then searched for traces of the system in the app’s logs. The team discovered that every instance of the simulation running had common traits: registered to Miles.Karlson@gmail.com, have only one contact, and store two photos. That’s a potential problem because a malicious app might know that it is being watched and then hold off doing anything nefarious.
Oberheide suggests that this might make a developer release an app with some sleeper code. The app would scan for Bouncer’s signature characteristics and not trigger any action that would get it booted from Google Play. Once the app can ensure it is not being monitored, it could then download more information and execute commands like sending premium text messages that cost money or steal user data.
According to a Forbes article on the subject, Oberhiede and Miller have already spoken with Google and it’s possible that this issue is already being addressed. There are “thousands of ways” to spot Bouncer according to the researchers, with some being harder than others. Google could make the system more sophisticated and less recognizable, or it could even scan to see if the app has scanning links. It’s all very Spy vs. Spy, but there’s no reason to be alarmed about Google Play malware yet. I guarantee that I’ve installed more apps than anyone reading this and I’ve yet to encounter any malware from the Play Store or the Artist Formerly Known as The Android Market. (*knock on wood)
Google may have even addressed this issue. If you’d like to learn more about the concept, a short demonstration is viewable below. More information will be shared at Duo Security’s presentation at SummerCon later this week.