Oh me, oh my, or so goes the saying. Very recently, a couple of hackers by the name of Charlie Miller, who is an already renown Apple hacker, and Jon Oberheide have been going over all the various ways to get around Google Bouncer. For those who don’t know, Google Bouncer is the automated scanning program that scans new applications as they hit the Google Play Store to see if they’re malicious or not. While effective to an extent, the system is far from perfect and it’s only a matter of time before Malware applications get around it entirely.
To further explain, when an Android application hits the Play Store, the Bouncer runs the application in a simulated Android environment to see what it does. This is very similar to current testing techniques in place already, where developers run their application in a virtual Android device to test for bugs. If the application begins to do a bunch of naughty things, or things that can be construed as naughty, the Bouncer will deny the application and it will never see the light of day. In theory, it’s a fantastic idea but in practice, hackers are smarter than that. One of the methods that Miller and Oberheide intend to show at their presentation at Summercon this week is how the application can identify when it’s running in a simulated environment, namely the Bouncer’s specific simulated environment, and then play nice until it passes the inspection. From there it will be approved for the Play Store where it’ll be downloaded by users where it can then continue on its malicious way.
Very soon the ball will be in Google’s court as these two hackers have shown how Google Bouncer can be completely defeated and Google will need to respond. There have been examples already published of an unnamed application getting beyond Bouncer and the app developer simply sending update after update, adding more Malware content until it’s a full blown problem. If Google can’t respond, then it’s only a matter of time until Bouncer is nothing more than an annoyance that can be easily coded around.