Open Cloze
Gap-fill exercise
Fill in all the gaps, then press "Check" to check your answers.
When good Android apps go bad -- a security lesson
Security researchers testing Google's Bouncer malware
system for Android apps have managed to submit a benign app and
slowly update it to add malicious functionality,
of the researchers told CNET today.
Nicholas Percoco, head of Trustwave's SpiderLabs, and colleague Sean Schulte
be discussing their research during a session
Black Hat and Defcon next week in Las Vegas entitled "Adventures in Bouncerland."
After Google launched its Bouncer system
protect apps in the Google Play Android market in February, the researchers wanted to see if they could
a good app that was already in the system
something malicious without triggering the Bouncer malware alarm system. They succeeded.
First they created
app that was designed to allow users to block
messages from specific individuals, known as an SMS blocker. Once the app was
the market and available
public download, the researchers updated it 11 times to add additional functionality that was totally unrelated
blocking text messages.
of the updates triggered Bouncer because the researchers used a cloaking method that masked the functionality changes
Bouncer, Percoco said. "We used a technique that allowed us to
a blindfold over Bouncer," he said.
So their app,
they are refusing to identify until next week, started
as a simple SMS blocker and was updated incrementally to access all
of data on the device and even to turn the phone
a zombie for use in Distributed Denial-of-Service (DDoS) attacks.
"The last version we had in the store allowed us to steal all
user photos, contacts, phone records, SMS messages, and we can hijack
person's device" and direct the device to visit a malicious Web
, Percoco said. "The last functionality in there allowed us to define a location
the mobile device to go and launch a DDoS
a target."
Eventually, the researchers updated the app and removed the technology that
hidden the malicious functionality. At that
, Bouncer detected it as malicious and pulled it
the market.
Percoco will demonstrate
his talk how the app still residing on his test Android device steals information
the phone and can be used to launch a DDoS
a test Web site. The app was only downloaded
this one device because he priced the app
higher than all the
many SMS blockers on the market, he said.
If
developers learn this masking trick we could see other Android apps go Mr.
on us. "You now have trusted apps that could some day
the future decide to become malicious," Percoco said. "We need more granular permissions and controls that
mapped and
down to end user devices."
So, for example, if the device detects that an app is now
something that wasn't in its original functionality map, or mission, the device would block
. "We need a multi-pronged approach
malware on these devices, not just automated tools
pre-entry," he said.
The researchers have contacted Google and
be meeting with Android researchers at the security conferences next week to discuss
issue, according to Percoco.
A Google spokeswoman said the company did not have comment
this matter.
Previously, researchers were
to bypass Bouncer directly by obtaining shell access, and there has
malware that went undetected on Google Play, but it required user interaction. This recent research did
require user interaction and it exploited a
in Bouncer via legitimate access and following
the rules, Percoco said.
Adapted from: CNET, July 20, 2012.
Check
Hint
OK