To combat the growing number of malicious Android apps on Google play, Google unveiled a new service back on February 6th called ‘Bouncer’. Developers upload their apps, Bouncer will scan the code using dynamic* behaviour analysis for known malware, spyware and Trojans.
Bouncer uses a type of reputation engine to flag Android apps that appear to be misbehaving, using previously scanned apps (this is the white/black list reputation database) to detect possible malicious activities. In addition, Bouncer also scans new developer accounts, to make sure misbehaving developers are banned from Google play. *Note: Bouncer doesn’t use static analysis – maybe it should, but we all know manually scanning code takes time and resource.
As with all reputation engines, some malicious apps will not be detected as malicious i.e. zero-day vulnerabilities. I know Bouncer has trouble with anti-emulation which involves the app changing behaviour on a regular basis once an emulation is detected. Charlie Miller anyone? Apps can be designed to activate in specific countries or mobile carrier. Detection becomes harder when this type of malware is resident.
Bouncer does indeed test Android apps in a virtualised environment (QEMU) which allows Google to test apps on Android simulated PC software. That said the same problem I posted in January is still relevant today – you can still run anti-emulation code to beat Bouncer. 🙁
This week (June 4th) two researchers (Charlie Miller being one) identified how easy it was to “fingerprint” Bouncer. In one scary instance an app was uploaded to Google play that was used to pull down new malicious code once installed on the target device. This malware passed Bouncer’s scan and was available on Google play. Maybe Google should follow the Apple lead by identifying developers by their Social Security Number (SSN) or official articles of incorporation? Only time will tell.
Safe surfing folks!
Bootnote: Google has the ability to silently delete programs from users’ devices when the company determines them to be malicious. Check your app library (manager) from time to time to see if they have been removed.