Risk
6/7/2012
01:57 PM
50%
50%

Google Play Exploits Bypass Malware Checks

Security researchers find multiple ways to bypass Bouncer, Google's automated service for spotting malicious Android apps.

Two well-known smartphone security researchers said they've found multiple techniques for bypassing Bouncer, the automated system Google uses to keep malicious applications out of Google Play, its official Android application store (formerly dubbed Android Market).

The researchers--Jon Oberheide, CTO of DUO Security, and Charlie Miller, principal research consultant at Accuvant Labs--plan to present their research at Summercon this Friday. The pair said they've shared full details in advance with Google.

Android is now the most-used smartphone operating system, on track to command 61% of the global smartphone market this year, according to IDC.

After a flurry of news reports highlighted a marked increase in Android malware volumes, Google earlier this year responded by disclosing the existence of Bouncer. According to Google, between the first and second half of 2011 Bouncer reduced by 40% the number of malicious applications downloaded by users of the Android application marketplace.

[ Read about how hackers used Gmail's password recovery to breach security site. See Google Apps Security Beat By CloudFare Hackers. ]

How many different techniques did the two researchers discover for bypassing Bouncer? "Hard to count, but I'd say at least 20 is a safe bet," said Oberheide, an independent security researcher with extensive mobile security experience, via email. "At that point, finding new minor ones is not very interesting, but finding ones that are difficult to fix or generally asymmetric--in the attackers' favor--in the long-term are."

The researchers were able to submit an app for Google Play-vetting that established a connect-back shell in the Bouncer infrastructure, thus allowing them to probe how it works.

"To Google's credit, we did get caught a couple times during our probes, although we were being pretty blatant at the time. I remember receiving a connect-back from an entirely different IP address from the normal Bouncer range--but still owned by Google--and interacting with it briefly before realizing it wasn't operating as expected and was most likely a manual reviewer checking out our app after it was flagged," said Oberheide. "I tried to send some friendly messages to that person."

The researchers also discovered that Bouncer is based on QEMU, a popular emulator that has had its share of vulnerabilities in the past, according to Oberheide. Accordingly, he explained, "It may be possible to exploit the Bouncer infrastructure itself by exploiting a bug in QEMU. Obviously, this is something that crosses the ethical lines of research,"--meaning he didn't test any such attacks--"and I'm sure [it] has been considered appropriately by Google."

Oberheide said that he and Miller weren't surprised that they could find Bouncer-bypassing techniques, given the "complex black box" approach that Google is undertaking. "Google's trying to solve a pretty difficult problem here: make a fake emulated device that looks and operates indistinguishably from a real user's device," Oberheide explained. "Not a simple thing."

After Google highlighted the existence of Bouncer, security experts pointed out that while such services are helpful, they're not foolproof. Security researcher Dmitry Bestuzhev at Kaspersky Lab, for example, has suggested that attackers might find ways of defeating the emulation environment used by Bouncer, or disguising any malicious behavior until after the application had cleared the malicious-intent review.

Oberheide seconded the feasibility of such an attack scenario. He explained that it could be accomplished by fingerprinting the emulation environment--as he and Miller have done--and then instructing an app to "look normal" as long as it's in that environment. "The easiest way to 'bypass' Bouncer is to not do anything malicious/suspicious when your app is running within it," he said. "Therefore, your app passes its test and can be distributed to your real target: users."

Apple last year banned Miller from its iOS developer program for one year for testing a proof-of-concept attack of that very nature. Notably, Miller was able to sneak proof-of-concept malware past Apple's iOS review teams, resulting in his application becoming available via the official Apple App Store.

In response to his temporary iOS developer program excommunication, Miller asked why Apple had bothered to give free accounts to security researchers such as himself. "If I'm the only bad guy in the world right now, you guys are perfectly safe," Miller quipped earlier this year at the RSA conference in San Francisco.

In the case of the Bouncer-bypassing techniques Miller and Oberheide identified, Google didn't immediately respond to an emailed request for comment about whether the flaws might be used in real-world scenarios by malware creators to place malicious apps on Google Play. But Oberheide suggested that if he and Miller can find vulnerabilities, so can people with malicious intentions.

"Based on what we've seen in the traditional malware world, malware authors are great at sharing code and techniques," he said. "I wouldn't be at all surprised if sophisticated malware is already bypassing Bouncer and unsophisticated malware will definitely catch up as techniques become more widely known. That being said, Bouncer itself will continue to improve and evolve to increase its efficacy."

Google also hasn't commented about whether it might have the exploits patched before the researchers' Friday conference presentation. "I know some of the folks working on Bouncer at Google, and they're top-notch, so they're definitely aware of its weaknesses and I'm sure are working to address them," said Oberheide. "These types of weaknesses aren't simple things to patch, though, so I don't think they'll be in place in the short term."

Black Hat USA Las Vegas, the premiere conference on information security, features four days of deep technical training followed by two days of presentations from speakers discussing their latest research around a broad range of security topics. At Caesars Palace in Las Vegas, July 21-26. Register today.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, you were supposed to display UNICODE characters!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.