gurusmaker
Active Techie
After loading a legitimate Android app
onto Google Play, researchers were able
to update it with malicious functionality
without triggering the malware detection
system. Whoops.
Security researchers testing Google's
Bouncer malware detection system
for Android apps have managed to
submit a benign app and then slowly
update it to add malicious functionality,
one of the researchers told CNET today.
Nicholas Percoco, head of Trustwave's
SpiderLabs, and colleague Sean Schulte
will be discussing their research during a
session at Black Hat and Defcon next
week in Las Vegas entitled "Adventures in
Bouncerland."
After Google launched its Bouncer system
to protect apps in the Google Play
Android market in February, the
researchers wanted to see if they could
turn a good app that was already in the
system into something malicious without
triggering the Bouncer malware alarm
system. They succeeded.
First they created an app that was
designed to allow users to block text
messages from specific individuals,
known as an SMS blocker. Once the app
was in the market and available for
public download, the researchers
updated it 11 times to add additional
functionality that was totally unrelated to
blocking text messages. None of the
updates triggered Bouncer because the
researchers used a cloaking method that
masked the functionality changes from
Bouncer, Percoco said. "We used a
technique that allowed us to pull a
blindfold over Bouncer," he said.
So their app, which they are refusing to
identify until next week, started off as a
simple SMS blocker and was updated
incrementally to access all sorts of data
on the device and even to turn the phone
into a zombie for use in Distributed
Denial-of-Service (DDoS) attacks.
"The last version we had in the store
allowed us to steal all end user photos,
contacts, phone records, SMS messages,
and we can hijack a person's device" and
direct the device to visit a malicious Web
site, Percoco said. "The last functionality
in there allowed us to define a location
for the mobile device to go and launch a
DDoS against a target."
Eventually, the researchers updated the
app and removed the technology that
had hidden the malicious functionality. At
that point, Bouncer detected it as
malicious and pulled it from the market.
Percoco will demonstrate in his talk how
the app still residing on his test Android
device steals information from the phone
and can be used to launch a DDoS on a
test Web site. The app was only
downloaded onto this one device because
he priced the app much higher than all
the other many SMS blockers on the
market, he said.
If other developers learn this masking
trick we could see other Android apps go
Mr. Hyde on us. "You now have trusted
apps that could some day in the future
decide to become malicious," Percoco
said. "We need more granular
permissions and controls that are
mapped and pushed down to end user
devices."
The researchers have contacted Google
and will be meeting with Android
researchers at the security conferences
next week to discuss the issue, according
to Percoco.
A Google spokeswoman said the
company did not have comment on this
matter.
Source: http://news.cnet.com/8301-1009_3-57476986-83/when-good-android-apps-go-bad-a-security-lesson/
onto Google Play, researchers were able
to update it with malicious functionality
without triggering the malware detection
system. Whoops.
Security researchers testing Google's
Bouncer malware detection system
for Android apps have managed to
submit a benign app and then slowly
update it to add malicious functionality,
one of the researchers told CNET today.
Nicholas Percoco, head of Trustwave's
SpiderLabs, and colleague Sean Schulte
will be discussing their research during a
session at Black Hat and Defcon next
week in Las Vegas entitled "Adventures in
Bouncerland."
After Google launched its Bouncer system
to protect apps in the Google Play
Android market in February, the
researchers wanted to see if they could
turn a good app that was already in the
system into something malicious without
triggering the Bouncer malware alarm
system. They succeeded.
First they created an app that was
designed to allow users to block text
messages from specific individuals,
known as an SMS blocker. Once the app
was in the market and available for
public download, the researchers
updated it 11 times to add additional
functionality that was totally unrelated to
blocking text messages. None of the
updates triggered Bouncer because the
researchers used a cloaking method that
masked the functionality changes from
Bouncer, Percoco said. "We used a
technique that allowed us to pull a
blindfold over Bouncer," he said.
So their app, which they are refusing to
identify until next week, started off as a
simple SMS blocker and was updated
incrementally to access all sorts of data
on the device and even to turn the phone
into a zombie for use in Distributed
Denial-of-Service (DDoS) attacks.
"The last version we had in the store
allowed us to steal all end user photos,
contacts, phone records, SMS messages,
and we can hijack a person's device" and
direct the device to visit a malicious Web
site, Percoco said. "The last functionality
in there allowed us to define a location
for the mobile device to go and launch a
DDoS against a target."
Eventually, the researchers updated the
app and removed the technology that
had hidden the malicious functionality. At
that point, Bouncer detected it as
malicious and pulled it from the market.
Percoco will demonstrate in his talk how
the app still residing on his test Android
device steals information from the phone
and can be used to launch a DDoS on a
test Web site. The app was only
downloaded onto this one device because
he priced the app much higher than all
the other many SMS blockers on the
market, he said.
If other developers learn this masking
trick we could see other Android apps go
Mr. Hyde on us. "You now have trusted
apps that could some day in the future
decide to become malicious," Percoco
said. "We need more granular
permissions and controls that are
mapped and pushed down to end user
devices."
The researchers have contacted Google
and will be meeting with Android
researchers at the security conferences
next week to discuss the issue, according
to Percoco.
A Google spokeswoman said the
company did not have comment on this
matter.
Source: http://news.cnet.com/8301-1009_3-57476986-83/when-good-android-apps-go-bad-a-security-lesson/