Google's new bouncer-service that was announced last week is supposed to have dropped the number of malware apps in the Android Market by about 40% already. While that is a great number the Bouncer service isn't perfect and it probably is the beginning to one of many back and forth battles between the Search Giant and malicious hackers in the making.
However, it appears that hackers may have already found a work around to this service. According to North Carolina State University professor Xuxian Jiang, he and his team have discovered a new malware variant that pulls off a pretty sneaky maneuver. The malware contains no malicious code when it's first installed on a device. By doing this it evades scans or permission requests that could pick up on its intentions in the first place. Here's the trick. After it's downloaded the app is then able to download new code from a remote server and it can hide this in the data transfer from the phone's communications.
Part of the code downloaded in the exploit is known as “Gingerbreak.” Yes this is the same Gingerbreak that is used to gain root access on some Android 2.3 devices. This is used to gain full access to the device as root access does, allowing hackers, criminals and whoever else use of any of the phone's functions whenever. This includes calling paid numbers, reading data, listening through the microphone or installing other malicious apps. Jiang's team was able to find DroidLive secretly installed. This exploit profits by sending text messages to paid phone numbers.
Known as “privilege escalation” this exploit is quite difficult to achieve on Apple's more restrictive OS as they only allow approved code to run on their devices. Android devices however have already seen these exploits demonstrated in a research atmosphere by security researcher Jon Oberheide, who was able to previously hide the ability to download this malicious code in two proof-of-concept Android applications. One impersonated a Twilight movie photo app and another was disguised as an Angry Birds “sequel.”
Thanks to this research, Android privilege-escalation has been proven to be more than theoretical. According to Jiang, “Jon had just showed this was possible.” He continued by saying ” This is the first actual malware that we found in the wild that uses this technique.” Jiang calls the new exploit “Rootsmart,” based on the prototype “Rootstrap” made by Oberheide combined with “com.google.android.smart” used by malware authors.
Rootsmart itself isn’t much of a threat to American Android users. In its current form, it doesn’t package itself as anything a user might be tempted to download, and it wasn’t found in the official Android Market, only on a Chinese app download site. However these apps could potentially evade the bouncer service. Given that the program scans all apps uploaded to the market for known malware that's then simulated as running, it may get a free pass as Rootsmart doesn't initially contain malware. This means the app could then wait out the Bouncer wait period before malicious code is downloaded. Whether or not the Android Market scans would catch this is untested.
When Forbes contacted Google for comment, a spokesperson pointed out that Rootsmart hasn't been found in the official Market and right now falls outside of the bouncer's zone of protection. But Jiang believes that a version could be uploaded to the Android Market that could evade the malware filter. He said: “At the very least, this would cause some challenges for a Bouncer-like system. I expect we’ll see more of this in the future.”
Uhh, mr. Miles has already demonstrated a privilege escalation and arbitrary code execution on the I series devices and garnered over 10k downloads over weeks before getting banned. so to say it’s difficult isn’t true.
Programs will be programs. some are bad, some are hard to detect.
And some apps are gone from the market as of this post. yawn
I’m curious as to how they can claim Bouncer can’t detect it, if there hasn’t been a known exploit of it on the Android Market? It seems like a lot of information is being taken out of context for a sensationalist headline. Google hasn’t even stated how Bouncer works exactly.