Google Bouncer Won't Block All Android Malware - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

Google Bouncer Won't Block All Android Malware

Security expert says Google Bouncer malware checks are a step in the right direction, but not a complete solution. Meanwhile, Google excised more fake apps from the Android Market.

10 Worst Android Apps
10 Worst Android Apps
(click image for larger view and for slideshow)
Will the newly announced Google Bouncer help the company prevent all fraudulent and malicious apps from sneaking into its Android Market?

Google last week revealed that it had already deployed Bouncer last year, and that the technology had led to "a 40% decrease in the number of potentially malicious downloads from Android Market" between the first and second half of 2011. That wording is notable: Google isn't discussing the number of potentially bad apps that it blocked, but rather the number of times that people didn't download a potentially bad app.

Google said its statistic was meant to counterpoint warnings from "companies who market and sell anti-malware and security software" that the volume of Android malware continues to rise sharply. "While it's not possible to prevent bad people from building malware, the most important measurement is whether those bad applications are being installed from Android Market--and we know the rate is declining significantly," said Google.

[ There can be a fine line between adware and malware. See Counterclank Apps To Remain In Android Market. ]

Accordingly, might Bouncer, once and for all, settle the security debate between Apple's walled-garden approach and the more laissez-faire philosophy behind the Android Market? Some criticize the Google approach as being too reactive, while others see it as a healthy alternative to Apple's lockdown of iOS.

That debate will certainly continue to rage. But security expert Dmitry Bestuzhev at Kaspersky Lab--which sells antivirus software--said that without a doubt, Bouncer is a big step in the right direction, since it will scan all Android Market apps for the presence of known malware as well as monitor for suspicious behavior via emulation.

Still, there are limits to the approach. For starters, "not all AV engines have the same quality, so there is a possibility some malicious apps won't be detected as malicious," Bestuzhev said in a blog post. Bouncer also likely wouldn't spot malware that targeted zero-day vulnerabilities. Furthermore, apps can be designed with "anti-emulation tricks, or a malicious app can be programmed to behave differently once an emulation is detected, making the app appear to be non-threatening," he said.

Emulation workarounds have already been well-honed by developers of Windows viruses. Security researcher Charlie Miller also used those techniques last year to bypass Apple's App Store checks and publish Instastock, a fake stock market app that exploited a code-signing vulnerability in iOS, allowing him to launch a proof-of-concept attack that "stole" data from his own iPhone. In response, Apple excommunicated Miller from its iOS developer program for one year.

Bestuzhev said other anti-emulation tricks might include designing functionality that gets triggered only if the device is running on specified telecommunications carriers. "For example, an app could be designed to only behave maliciously if it detects a Latin American carrier," he said. "If the same app is used by a U.S. carrier, no malicious behavior will be detected."

To further improve Android Market security, Google has also announced that it will begin vetting all new developer accounts. But Bestuzhev predicts that the combination of these checks and using Bouncer to patrol the Android Market for fake and malicious apps will likely lead attackers to attempt to hack into developer accounts that Google already trusts, then using them as malicious app distribution channels.

In other Android suspicious-app news, Android Police Monday reported finding new, potentially malicious applications in the Android Market.

The fake apps were named after legitimate offerings, including "Madden NFL 12," "Angry Chicken," "SpeedRacer--Final Death Match," "Crazy Penguin Catapult," and "Batman Arkham City Lockdown." Google has excised the apps in question (although Android Police posted a screen grab on Flickr that shows the apps).

While the names of the apps appeared to be legitimate, Android Police noted that all of the apps had been created with "AppInventor," which it said is a red flag for fake apps. Meanwhile, under "publisher," some of the apps riffed on the name Rovio--maker of Angry Birds--by using the fake name "ROVIO MOBIIE LTD." According to Android Police, "the Bouncer may be watching out for malware, but it still has room to grow, especially in the Rovio Mobile Ltd case."

The right forensic tools in the right hands are just a start. The new Digital Detectives issue of Dark Reading shows you how to better apply the lessons they teach. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
captbilly
50%
50%
captbilly,
User Rank: Apprentice
2/7/2012 | 10:44:42 PM
re: Google Bouncer Won't Block All Android Malware
Are you serious? Having a headline like, "Google Bouncer Won't Block All Android Malware", is a bit like saying that vaccines won't protect us from all disease. Yes, it is true that Bouncer won't block all malicious apps, just as Apple or Microsoft haven't been able to protect their OSs from all malware and viruses, but I believe that was obvious to everyone. Maybe tomorrow you could have a headline that says, "sunglasses will not stop the sun from coming up tomorrow".
Sabrina
50%
50%
Sabrina,
User Rank: Apprentice
2/8/2012 | 10:10:20 AM
re: Google Bouncer Won't Block All Android Malware
security features built into the Android system, including application sandboxing, permission-based operation, and the ease of removing malware either through the phone or remotely via the Android Market.
Commentary
Gartner Forecast Sees 7.3% Shrinkage in IT Spending for 2020
Joao-Pierre S. Ruth, Senior Writer,  7/15/2020
Slideshows
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
Commentary
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Video
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Slideshows
Flash Poll