When good Android apps go bad -- a security lesson

Security researchers testing Google's Bouncer malware system for Android apps have managed to submit a benign app and slowly update it to add malicious functionality, of the researchers told CNET today.

Nicholas Percoco, head of Trustwave's SpiderLabs, and colleague Sean Schulte be discussing their research during a session Black Hat and Defcon next week in Las Vegas entitled "Adventures in Bouncerland."

After Google launched its Bouncer system protect apps in the Google Play Android market in February, the researchers wanted to see if they could a good app that was already in the system something malicious without triggering the Bouncer malware alarm system. They succeeded.

First they created app that was designed to allow users to block messages from specific individuals, known as an SMS blocker. Once the app was the market and available public download, the researchers updated it 11 times to add additional functionality that was totally unrelated blocking text messages. of the updates triggered Bouncer because the researchers used a cloaking method that masked the functionality changes Bouncer, Percoco said. "We used a technique that allowed us to a blindfold over Bouncer," he said.

So their app, they are refusing to identify until next week, started as a simple SMS blocker and was updated incrementally to access all of data on the device and even to turn the phone a zombie for use in Distributed Denial-of-Service (DDoS) attacks.

"The last version we had in the store allowed us to steal all user photos, contacts, phone records, SMS messages, and we can hijack person's device" and direct the device to visit a malicious Web , Percoco said. "The last functionality in there allowed us to define a location the mobile device to go and launch a DDoS a target."

Eventually, the researchers updated the app and removed the technology that hidden the malicious functionality. At that , Bouncer detected it as malicious and pulled it the market.

Percoco will demonstrate his talk how the app still residing on his test Android device steals information the phone and can be used to launch a DDoS a test Web site. The app was only downloaded this one device because he priced the app higher than all the many SMS blockers on the market, he said.

If developers learn this masking trick we could see other Android apps go Mr. on us. "You now have trusted apps that could some day the future decide to become malicious," Percoco said. "We need more granular permissions and controls that mapped and down to end user devices."

So, for example, if the device detects that an app is now something that wasn't in its original functionality map, or mission, the device would block . "We need a multi-pronged approach malware on these devices, not just automated tools pre-entry," he said.

The researchers have contacted Google and be meeting with Android researchers at the security conferences next week to discuss issue, according to Percoco.

A Google spokeswoman said the company did not have comment this matter.

Previously, researchers were to bypass Bouncer directly by obtaining shell access, and there has malware that went undetected on Google Play, but it required user interaction. This recent research did require user interaction and it exploited a in Bouncer via legitimate access and following the rules, Percoco said.


Adapted from: CNET, July 20, 2012.