Google has been trying to put in a tight security mechanism in the Android Market so that malicious apps are filtered away and are not allowed to stay in the apps market. In order to do so, Google makes use of a scanning program which is called ‘Bouncer.’ Now, security researchers have been able to identity the details of the antivirus scanner that Google uses, details that can be exploited by the hackers.
According to the research done by John Oberheide and Charlie Miller, Google’s antivirus scanner is called Miles Karlson and has one friend named Michelle K. Also, it is a fan of Lady Gaga.
By knowing even one of these many details, a malicious app can fool the scanner and make its way into the Android market. Miller and Oberheide will be presenting their research at the Summercon Conference which is scheduled for this week in New York. During the presentation, the two will present a new method to exploit the security of Google’s Android market scanners.
Google’s ‘Bouncer’ actually takes an app and then runs it on a virtual phone to check how does it work and whether or not it is involved in phishing user data or sending spam through his device. When all is rendered well, the app is considered safe, otherwise it is deemed malicious.
Miller and his co-researcher think that by making the app realize that it is being run on a simulation when ‘Bouncer’ is testing it, an app can appear safe during the test-drive and eventually, when it is approved, it can return to its malicious behaviour.
According to Oberheide, “The question for Google is, how do you make it so the malware doesn’t know it’s running in a simulated environment? You want to pretend you’re running a real system. But a lot of tricks can be played by malware to learn that it’s being monitored.”
Moreover, they say that there are ways to find out when a simulation is being run. For instance, a virtual program will be slower than an actual device and when Bouncer tries to contact Google’s servers during the simulation, the app can recognize the IP address of Google’s servers and then behave itself, knowing that it’s a test simulation.
Miller and Oberheide say they also contacted Google regarding this and that since then, Google has improved the security of the Bouncer so that it is difficult to differentiate between it and a real phone.