Researchers Jon Oberheide and Charlie Miller have successfully dodged the notorious Google Bouncer, a security system meant to analyze and reject malicious Android applications before they are published on Google Play.
According to the findings detailed in the blog post, the researchers managed to implement a remote shell in an application they submitted for publication. When the Google Bouncer started to analyze the application, Oberheide and Miller got access to the remote shell and managed to probe the Bouncer infrastructure.
In simple terms, whenever an application is tested, the Google Bouncer infrastructure runs it in an emulated Android device hosted by Bouncer. Through the included shell, the researcher gained remote access to the emulated device running within the Bouncer system.
â€œWe can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the file system, or information about some of the devices emulated by the Bouncer environment,â€ the researchers wrote in the blog post.
Among other interesting discoveries, the researchers noted that the /sys directory holds the qemu_trace directory which can tell the application that it is being run into a virtual machine. This may not appear to be much, but, since the Bouncer is just a screening technology, it can be fooled by including extra logic inside the application for it to become aware if it is being analyzed or run in a userâ€™s device. The logic would resume to: if the qemu_trace folder is present and if the other attributes of the environment match the Bouncerâ€™s, then behave as if youâ€™re being analyzed. If not, start wreaking havoc, because youâ€™re probably installed on a smartphone or tablet.
“This is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device,” Oberheide mentioned in the teaser video.