First introduced to the public in February this year, Google’s Bouncer was welcomed as a great addition that aimed to make Google Play more secure for Android users.
Unlike Apple, Google doesn’t have a vetting process in place that would keep malicious apps from being accepted on the official Android marketplace – the company decided to opt for the Bouncer, an automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device.
In an attempt to prevent malicious app developers from finding out ways to bypass it, Google shared no more details about how Bouncer operates. But security through obscurity is not a good tactic in this case, and it was only a matter of time until someone managed to evade the roadblocks.
As a way of announcing their upcoming talk at the SummerCon conference, researcher Jon Oberheide has shown how he and Charlie Miller succeeded in discovering just what kind of virtual environment Bouncer uses and how it might be vulnerable.
The two researchers started by making fake Google accounts and submitting various apps to Google Play.
Once an app that was able to contact a server controlled by the researchers was picked up for analysis and run in the Bouncer environment, they were able to obtain a remote Linux command-line shell on the system and to poke around for clues by making the app perform commands they sent to it.
That’s how they discovered that Bouncer used the QEMU processor emulator, and that all requests coming from Google came from a specific IP block.
Among other things they also discovered that malicious individuals could freely upload apps to Google Play without using a valid credit card or account, making it easy for them to test their malicious wares without having them traced back to them or “burning” a stolen credit card.
Google has been made aware of all this, and it’s engineers are likely working of ways to improve the Bouncer.
“It’ll never be perfect, but hopefully they’ll sweep up a lot of the crap malware with it,” Oberheide commented for ThreatPost. “But malware authors share code widely and collaborate, so I wouldn’t be surprised if they have a library soon to help bypass Bouncer that you’ll see in a bunch of malicious apps.”