When good Android apps go bad -- a security lesson

After loading a legitimate Android app onto Google Play, researchers were able to update it with malicious functionality without triggering the malware detection system. Whoops.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
3 min read
Nicholas Percoco, head of Trustwave's SpiderLabs, managed to turn a legitimate Android app into malware without alerting the malware detection system.
Nicholas Percoco, head of Trustwave's SpiderLabs, managed to turn a legitimate Android app into malware without alerting the malware detection system. Trustwave SpiderLabs

Security researchers testing Google's Bouncer malware detection system for Android apps have managed to submit a benign app and then slowly update it to add malicious functionality, one of the researchers told CNET today.

Nicholas Percoco, head of Trustwave's SpiderLabs, and colleague Sean Schulte will be discussing their research during a session at Black Hat and Defcon next week in Las Vegas entitled "Adventures in Bouncerland."

After Google launched its Bouncer system to protect apps in the Google Play Android market in February, the researchers wanted to see if they could turn a good app that was already in the system into something malicious without triggering the Bouncer malware alarm system. They succeeded.

First they created an app that was designed to allow users to block text messages from specific individuals, known as an SMS blocker. Once the app was in the market and available for public download, the researchers updated it 11 times to add additional functionality that was totally unrelated to blocking text messages. None of the updates triggered Bouncer because the researchers used a cloaking method that masked the functionality changes from Bouncer, Percoco said. "We used a technique that allowed us to pull a blindfold over Bouncer," he said.

So their app, which they are refusing to identify until next week, started off as a simple SMS blocker and was updated incrementally to access all sorts of data on the device and even to turn the phone into a zombie for use in Distributed Denial-of-Service (DDoS) attacks.

"The last version we had in the store allowed us to steal all end user photos, contacts, phone records, SMS messages, and we can hijack a person's device" and direct the device to visit a malicious Web site, Percoco said. "The last functionality in there allowed us to define a location for the mobile device to go and launch a DDoS against a target."

Eventually, the researchers updated the app and removed the technology that had hidden the malicious functionality. At that point, Bouncer detected it as malicious and pulled it from the market.

Percoco will demonstrate in his talk how the app still residing on his test Android device steals information from the phone and can be used to launch a DDoS on a test Web site. The app was only downloaded onto this one device because he priced the app much higher than all the other many SMS blockers on the market, he said.

If other developers learn this masking trick we could see other Android apps go Mr. Hyde on us. "You now have trusted apps that could some day in the future decide to become malicious," Percoco said. "We need more granular permissions and controls that are mapped and pushed down to end user devices."

So, for example, if the device detects that an app is now doing something that wasn't in its original functionality map, or mission, the device would block it. "We need a multi-pronged approach against malware on these devices, not just automated tools at pre-entry," he said.

The researchers have contacted Google and will be meeting with Android researchers at the security conferences next week to discuss the issue, according to Percoco.

A Google spokeswoman said the company did not have comment on this matter.

Previously, researchers were able to bypass Bouncer directly by obtaining shell access, and there has been malware that went undetected on Google Play, but it required user interaction. This recent research did not require user interaction and it exploited a hole in Bouncer via legitimate access and following all the rules, Percoco said.