As a result of two cyber researchers sneaking malware onto Google’s official app store, perhaps Google will have to change its app-market malware scanner’s codename from “Bouncer” to “Oops.”
Forbes reports, “Sean Schulte and Nicholas Percoco created a proof-of-concept malicious Android app — with functions that would have allowed it to do everything from secretly stealing information from users’ phones to performing denial of service attacks designed to take down target websites — disguised it as a friendly application, and managed to make it available for download in the official Android Market….” Even after scanning, Bouncer let the malware sashay on through like a major celebrity at an exclusive club.
Schulte and Percoco “presented their findings to Google and agreed not to publicly disclose their techniques for circumventing the company’s mobile malware scans until their Black Hat talk in Las Vegas this summer.”
According to the Forbes article, “Percoco says his and Schulte’s trick worked by uploading a harmless application past Google’s Bouncer, and then incrementally adding updates to give it more and more malicious capabilities.
“The pair started by building a simple program designed to screen text messages by blocking numbers input by the user. Then, over the course of three weeks, they tested a series of seven less-benign updates to the program, including adding the ability for the program to silently steal and transfer the user’s photos to a remote server, engage in click fraud, send spam emails, and participate in distributed denial of service attacks that hammer a target server with repeated requests for fraudulent information. Percoco says that the Android malware was also capable of receiving real-time commands and updates from a server, essentially everything necessary to create a botnet army of hijacked phones.”
Percoco and Schulte, who said they designed the malicious functions to be disabled if they were somehow downloaded by a user, refused to reveal the techniques used to get past Bouncer until the Black Hat conference. However, they did offer some hints, “We asked ourselves, what are some things that are completely allowed by the platform, legitimate activities that when you add them together (could create malware)? The techniques we developed made it very difficult if not impossible for even (a) manual review to detect this (‘bad’) functionality.”
After they had created their proof-of-concept application without being detected, they stopped trying to cloak the program’s malicious behavior. That’s when Bouncer got wind of what was going on and the app was deleted. As Percoco put it, “We pulled out the stops, made a lot of noise, and we were expecting Google to detect (the malware. They did.)”
Because the Apple operating system is more restrictive, it appears most malware writers are concentrating on Google’s platform. And, rather than Google’s official Market, which Percoco and Schulte managed to break into, most Android malware is either downloaded from third-party Android application platforms or the Web.
Forbes points out that while Percoco and Schulte may be the latest to sneak malware onto Google’s official app store, they’re not the first. “Researcher Jon Oberheide created proof-of-concept fake Twilight and Angry Birds applications in 2010 that were designed to update themselves on users’ phones with malicious code after download.” However, Percoco and Schulte were likely the first to test Google’s security since the company brought out Bouncer as a scanning tool for analyzing code and app behavior (even after an app has been accepted).
Observes Forbes, “Google…does have other safeguards for users: Apps are required to ask permission for individual functions on the phone, and Google has the ability to silently delete programs from users’ devices when the company determines them to be malicious. The company used that kill-switch to zap both proof-of-concept apps created by Jon Oberheide in 2010 as well as the Droid Dream malware that hit Android devices the next year.”
From Google’s experience, one thing is certain. A defense in depth is the best protection for any enterprise.