Google does its best to stay on top of malware in the Google Play store, removing offending apps as soon as it becomes aware of them. Better than removing malware, though, is keeping it from even getting onto Google Play in the first place. Four months back, we learned of the company’s Bouncer system, an automated process that attempted to identify malware apps before they got a chance to spread. Some new findings by security researchers are revealing a few chinks in the Bouncer armor, and may prompt Google to make some changes in the hopes of preventing malware from defeating Bouncer’s inspection.
This isn’t the first time we’ve heard of apps designed to avoid Bouncer, but the techniques involved are new. One aspect of Bouncer’s analysis is running suspect apps in a test environment, watching how they behave on an Android system and keeping an eye out for any actions that may indicate ill intentions. What researchers Charlie Miller and Jon Oberheide discovered is that the Bouncer test environment is consistent enough for malware to detect it, and alter its behavior accordingly.
If an app knows it’s running on Bouncer, it can intentionally refrain from its normal malware behavior, resulting in a false negative from the system. Miller and Oberheide found that Bouncer always seems to report being registered to the same user, has distinct files present on the device, and contains only a single, specific user in its contact list. By looking for this pattern, an app could know it was under Bouncer’s scrutiny.
The team has already contacted Google with its findings, so hopefully Bouncer will see a few tweaks to help prevent this kind of attack from taking place.