This year in the month of February, Google had revealed some details about a new malware canner that had been developed in the latter half of 2011. The new malware scanner called as “the Bouncer” is an automated service that runs each app submitted to Google Play to see if it has any malicious intentions.
As per Google’s initial figures, the Bouncer has been responsible for a 40% drop in malicious apps available in Google Play. However we have tumbled upon an interesting piece of information that says that security researchers Jon Oberheide and Charlie Miller have developed a new method that enbales them to bypass the Bouncer and submit malware to Google Play successfully.
The key to remain undiscovered is to remain hidden specially when someone is watching you. This idea is exactly the same in case of malware. A malware that becomes dormant while it is being scanned will obviously go undetected. So here arises the question for malware. How will the malware detect that it is being scanned or watched? According to Miller and Oberheide, the answer to this question is Google’s Bouncer.
The Bouncer is a virtual machine that runs the app under scrutiny. If the malware can detect that it is running in the virtual machine it can lay low. For Google, the trick is to convince the malware that it is not running in a simulated environment and every virtual machine exhibits signs that it is not a real-world Android device. Researchers have submitted a spy app to the Google Play that enables them to monitor the Bouncer simulated environment.
Among all other things, one particular significant thing that they discovered was that every instance of Google’s simulated Android device is registered to the same account. They also discovered that the Bouncer tried to bait malware to steal photos or contacts on the smartphone. In order to proove their concept, the pair submitted an app called HelloNeon to Google Play that could download new malicious code once it was installed on a user’s Android tablet or smartphone.
The app cleared Bouncer’s scan successfully and became available for download. The researchers have spoken to Google’s security team about their findings and most probably Google will make some changes in the Bouncer virtual machine characteristics before the pair present their methods at the conference.