Google's App Bouncer Can’t Detect When Benign Apps Turn Malicious

Imagine someone going to a nightclub. After being frisked by a bouncer at the door, he gets an ink stamp on the hand indicating that this person paid the cover charge and was vetted by security. What if the other patrons could be immediately imperiled if that person is allow to exit and reenter without being checked again? Something akin to that scenario has happened, but with Google Play as the venue and an Android app as the once-benign but subsequently nefarious partygoer.

CNET.com reported that researchers at Trustwave’s SpiderLabs discovered a security flaw that allowed them to introduce a cloaking program that kept Google’s malware detection, called Bouncer, from detecting updates to the app. The ethical hackers were able to update the app—an SMS blocker originally designed to allow a cellphone user to block text messages from specific phone numbers—11 times without Bouncer tossing the app from the Google Play Android marketplace.

According to the CNET article, none of the added functions contained in the updates had anything to do with blocking texts. In fact some of the updates modified the software so that it is capable of accessing data—including photos, contacts, call records, and the contents of text messages—on a handset. Other updates were even more nefarious, turning a handset into a zombie that automatically connects to a predetermined website to get instructions for participating in distributed denial-of-service attacks.

The researchers, who eventually removed the cloak, letting Bouncer detect the malicious code in a subsequent update, say they have alerted Google and will meet with Android researchers this week at the Black Hat and Defcon security conferences in Las Vegas. They will share the details of their hack in a session called “Adventures in Bouncerland.”