Security Lessons from Android Apps That Could Become Malicious

From some security researchers that were testing the Bouncer malware detection system from Google, it was reported to CNET that they were indeed able to submit an app that is benign and then update it to malicious functionality. The Bouncer system is used to detect malwares for the Android apps.

 According to Nicholas Percoco who is the head of SpiderLabs of Trustwave and Sean Schulte who is a colleague, the findings from their ‘Adventure in BouncerLand’ research will be discussed at a session in Black Hat and Defcon Las Vegas.

 Google had launched the Bouncer system in February to make sure that Google Play Android market apps were protected. For the researchers, theirs was to change an app that was good into a malware without the Bouncer system alarm going off, which they actually succeeded in.


The first step that they made was to develop the SMS blocker app which was meant to block SMS from specified numbers. The app was then put on the market for the public to download it. The researchers then went ahead to update it eleven times, each time adding a functionality completely different from blocking of text messages. Surprisingly, none of these changes actually triggered the Bouncer. According to the Percoco, it is because they applied the cloaking method which actually was masking the changes from the Bouncer. He said that this was like blindfolding bouncer rendering him ineffective.

 Although they have refused to identify the name of their app till next week, they were able to change from the initial SMS blocker software to a malware that was able to access device information and have the ability to convert the phone to a zombie that can easily be used in DDoS attacks.

 In the end, the researcher removed the masking feature after updating the app. That is when Bouncer alarms were triggered and it was removed from the app market.

 During his talk, Percoco will be able to demonstrate through the app that he still has in his device is stealing data from a phone and how it can be used in the launch of a Distributed Denial of Service attack against a sample web page. There is however only one device to which this app was downloaded mainly because of its high price range in comparison with the other SMS blocking apps in the market.

 If some developers were to learn of the trick of masking, it would be only a matter of time before the apps are turned against us. According to Percoco, this trick would be used to turn most of the apps that are trusted today into malicious ones in coming days. He suggested that the best option would be to provide permissions that are more granular such that the controls are able to reside in the devices of the end users.

 This would mean that is an app that is no longer doing what it was intended to do according to the functionality map; the device will immediately note it and block it. He said that there ought to be a multi level approach to fighting these malware programs and not just at the entry level, which is in fact automated.

 The researchers got in touch with Google and they will have a meeting with them during the security conference that will be held next week according to Percoco.

 According to a spokeswoman from Google however, there is no comment from the company about the same.