CNET researchers wanted to see whether Android apps in Google Play can be malicious. For that, they placed a genuine application on the online market and later on, updated it with a malicious functionality proving that these programs can be used to control mobile devices.
Google Bouncer is the program that the Internet company has installed in order to detect any malware content that could be added to Android applications. Researchers have put themselves in the shoes of hackers to identify all the possible methods that could be used to turn a good app into an evil one. After many failed attempts, they managed to add a genuine program on Google Play and transform it in a malicious app with the help of an update.
The results of the research will be presented at the Black Hat and Defcon session which will be hosted next week in Las Vegas. The presentation was entitled “Adventures in Bouncerland” and is meant to prove that Bouncer, the malware detector that Google introduced in February is not as advanced as they think it is.
The application named “SMS blocker” did exactly what its name said it would, that is, block any unwanted messages from entering people’s phones. Researchers placed it on Google’s Android market and waited until the application was accepted. Afterwards, they updated it 11 times to provide it with additional functionality, but Bouncer did not detect the changes because the team used a special blindfolding technology. The application was then, used to access all sorts of data and even to use the phone as a tool for Distributed Denial-of-Service (DDoS) attacks.
Nicholas Percoco, head of Trustwave’s SpiderLabs told the press that the last version of app they placed in store was capable of stealing photos, phone records, messages and even hijack the phone to access malicious websites. In the end, they performed another update, but this time, without the help of the blindfolding technology. Bouncer detected the malicious program and removed it from the store.
Researchers think Google should improve their malware detection program; otherwise applications could be used to control other people’s devices. Google was not available for comments.