When earlier this year Google introduced Bouncer - an automated app scanning service that analyzes apps by running them on Google’s cloud infrastructure and simulating how they will run on an Android device - it shared practically nothing about how it operates, in the hopes of making malicious app developers’ scramble for a while to discover how to bypass it.
—
Researchers beat Google’s Bouncer, /.
- As it turned out, several months later security researchers Jon Oberheide and Charlie Miller discovered - among other things - just what kind of virtual environment Bouncer uses (the QEMU processor emulator) and that all requests coming from Google came from a specific IP block, and made an app that was instructed to behave as a legitimate one every time it detected this specific virtual environment.
- Now two more researchers have effectively proved that Bouncer can be rather easily fooled into considering a malicious app harmless.
What do we learn?
- Security by obscurity is a bad idea even when Google does it. It usually hides major holes.
- Your “legit” Android apps, downloaded from Google Play, can be trojans stealing your data without anyone knowing it.
