Droid malware cloak outwits Google Bouncer and friends


Userlevel 7

Researchers show VXers a better way to infect Mountain View's mobile OS

By Darren Pauli, 13 May 2014  Google's Bouncer Android defence tool is one of a dozen malware detection platforms that can be flawlessly skirted by malware employing smarter heuristics, researchers have found. 
 
Malware kitted out with virtual machine detection functions and clever heuristics could bypass seemingly any detection platform on the market.
 Bouncer was employed by Mountain View to weed out malicious applications before they hit the official Play Store.
Researchers found it and other dynamic analysis platforms lacked the capabilities to foil most and typically all of the academics' heuristics which they built into their mutant malware.
 
"To assess the effectiveness of our techniques, we incorporated them in real malware samples and submitted them to publicly available Android dynamic analysis systems, with alarming results," the team of five university researchers wrote in (a paper (PDF)) titled Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware.
 
 
 
Full Article
 
One for our brethren that use Android...it just seems to me that whatever anyone does to try to be secure just about everything possible is being suborned for use as a potential vector for infection...very worry...and enough to turn some paranoid...I am sure.

2 replies

Userlevel 7
Badge +52
We are quite aware of the Android malware scanner Google’s Bouncer that tests the apps by running them in a virtualized environment i.e. a simulated phone created in software which automatically scans the apps to watch its real behaviour on users’ devices, before approving them to the Play Store market. To protect its users and their devices from harm, Google launched this apps scanning software tool, two year ago. Bouncer is a security feature for the Android Play store Market that is designed to protect the Android users to not to be a victim of any malicious Android malware app. But does the security tool go far enough? Despite having protective shield factor, we have seen Google play store market is surrounded by many malicious apps which easily by-passes the Bouncer scan test and targets Android users. Security Research from Columbia University have exploited weaknesses in Google's Bouncer service to sneak malicious apps on to the Android market. They published a new research paper, revealed that all such dynamic analysis tools and services are vulnerable to most of the evasion techniques they discovered.  Along with the Google bouncer, other Heuristic analysis (Dynamic) analysis tools detect malicious application based on previous knowledge of typical sequences of commands in code or of metadata (static analysis), or on behavior (dynamic analysis). The research paper [pdf] titled “Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware” was conducted by the team of five researchers, Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis and Sotiris Ioannidis of the Institute of Computer Science from the Columbia University, USA. They created some malware samples, those were able to hide themselves when analyzed in an emulated environment and hence developed the capability to bypass the heuristic-based dynamic and static analysis platforms, such as Andrubis, DroidBox, DroidScope, APK Analyzer, or APKScan. “A malicious program can try to infer whether it runs in an emulated environment, and therefore evade detection by pausing all malicious activities.” the researchers said. "Even trivial techniques, such as checking the value of the IMEI, are enough to evade some of the existing dynamic analysis frameworks.Full Article 
Userlevel 7
Hi Petr
 
Thanks, but already covered by this thread:
 
https://community.webroot.com/t5/Security-Industry-News/Droid-malware-cloak-outwits-Google-Bouncer-and-friends/td-p/107732
 
started yesterday...you may want to delete your thread and transfer the reference to the initial thread on the topic.
 
Regards
 
 
Baldrick

Reply