Google last week revealed that it had already deployed Bouncer last year, and that the technology had led to "a 40% decrease in the number of potentially malicious downloads from Android Market" between the first and second half of 2011. That wording is notable: Google isn't discussing the number of potentially bad apps that it blocked, but rather the number of times that people didn't download a potentially bad app.
Google said its statistic was meant to counterpoint warnings from "companies who market and sell anti-malware and security software" that the volume of Android malware continues to rise sharply. "While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market--and we know the rate is declining significantly," said Google.
[ There can be a fine line between adware and malware. See Counterclank Apps To Remain In Android Market. ]
Accordingly, might Bouncer, once and for all, settle the security debate between Apple's walled-garden approach and the more laissez-faire philosophy behind the Android Market? Some criticize the Google approach as being too reactive, while others see it as a healthy alternative to Apple's lockdown of iOS.
That debate will certainly continue to rage. But security expert Dmitry Bestuzhev at Kaspersky Lab--which sells antivirus software--said that without a doubt, Bouncer is a big step in the right direction, since it will scan all Android Market apps for the presence of known malware as well as monitor for suspicious behavior via emulation.
Still, there are limits to the approach. For starters, "not all AV engines have the same quality, so there is a possibility some malicious apps won't be detected as malicious," Bestuzhev said in a blog post. Bouncer also likely wouldn't spot malware that targeted zero-day vulnerabilities. Furthermore, apps can be designed with "anti-emulation tricks, or a malicious app can be programmed to behave differently once an emulation is detected, making the app appear to be non-threatening," he said.
Emulation workarounds have already been well-honed by developers of Windows viruses. Security researcher Charlie Miller also used those techniques last year to bypass Apple's App Store checks and publish Instastock, a fake stock market app that exploited a code-signing vulnerability in iOS, allowing him to launch a proof-of-concept attack that "stole" data from his own iPhone. In response, Apple excommunicated Miller from its iOS developer program for one year.
Bestuzhev said other anti-emulation tricks might include designing functionality that gets triggered only if the device is running on specified telecommunications carriers. "For example, an app could be designed to only behave maliciously if it detects a Latin American carrier," he said. "If the same app is used by a U.S. carrier, no malicious behavior will be detected."
To further improve Android Market security, Google has also announced that it will begin vetting all new developer accounts. But Bestuzhev predicts that the combination of these checks and using Bouncer to patrol the Android Market for fake and malicious apps will likely lead attackers to attempt to hack into developer accounts that Google already trusts, then using them as malicious app distribution channels.
The fake apps were named after legitimate offerings, including "Madden NFL 12," "Angry Chicken," "SpeedRacer--Final Death Match," "Crazy Penguin Catapult," and "Batman Arkham City Lockdown." Google has excised the apps in question (although Android Police posted a screen grab on Flickr that shows the apps).
While the names of the apps appeared to be legitimate, Android Police noted that all of the apps had been created with "AppInventor," which it said is a red flag for fake apps. Meanwhile, under "publisher," some of the apps riffed on the name Rovio--maker of Angry Birds--by using the fake name "ROVIO MOBIIE LTD." According to Android Police, "the Bouncer may be watching out for malware, but it still has room to grow, especially in the Rovio Mobile Ltd case."
The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)