#BlackHat: Researchers upload dangerous app to Google Play store

Powered by SC Magazine
 

Google's Bouncer beat by legit JavaScript trick.

View larger image View larger image View larger image

See all pictures here »

Two researchers demonstrated how they were able to push a malicious information-stealing app onto Google Play, even while Google's Bouncer custom malware scanner is watching.

They circumvented the Bouncer automated scanner with a JavaScript trick that transformed a benign Android app into a malicious one on Google Play.

Black Hat 2012 coverage

Nicholas Percoco and Sean Schulte of Trustwave Spider Labs developed a benevolent app called “SMS Bloxer,” which looked like other SMS blocker apps on the market.

In order to ensure regular users didn't accidentally download the app, Trustwave also priced it at $49.95, in stark contrast to similar apps, which were usually $2 or less, or free.

SMS Bloxer lived on Google Play for two weeks and didn't get flagged by Bouncer for that entire period of time. At its worst, the app was capable of  stealing contacts, SMS messages, and photos.

It could harvest information about the device or force a web page to load, the researchers said. It could also launch a denial-of-service attack.

“Google never flagged it,” Percoco said.

The internet giant, recognising that malicious applications were becoming a growing problem, introduced Bouncer in February.

Google must have realized reacting was a losing battle and some kind of app review was needed, hence Bouncer, Schulte said. There wasn't a lot of information available publicly about the technology or how it worked, which piqued Trustwave's curiosity, Percoco said.

“We wanted to test the bounds of what it's capable of," Percoco said.

The team created a benign app that just reported back to Trustwave whenever it was executed, and made it past Bouncer and onto Google Play. The team had determined Bouncer's IP address by this time, and modified the test app to act maliciously only if it was executed outside Bouncer. 

To avoid detection, the team used  the JavaScript bridge, a “legitimate” workaround supported by Android, Percoco said.

The bridge lets developers remotely add new  features to a program using JavaScript, or changing the look and feel of an app by modifying the HTML, without having to go back through the entire app approval or update process. Facebook and LinkedIn use this method for their apps, Percoco said.

Trustwave used the JavaScript bridge to add increasingly malicious capabilities to the app. Bouncer scanned the app repeatedly, but never noticed the new malicious features. Only when the team tweaked the app to execute every second did Bouncer notice it and suspend the developer account, Percoco said.

Trustwave shared its findings with Google, and Percoco said the company was a “great organization to work with." A Google spokesperson could not be reached for comment by SCMagazine.com.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
Innovating in the sleepy super industry
There’s little incentive to be on the bleeding edge, so why is Andrew Todd fighting so hard?
 
How technology will unify Toll
The systems headache formed through 15 years of acquisitions.
 
Immigration breached Privacy Act with data leak
Pilgrim slams "copy and paste" of asylum seeker data.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Optus steps up regional 4G coverage
Nov 20, 2014
Once 700Mhz services are working, Optus claims regional users will have a "faster and more ...
This Huawei 4G phone costs $99
Nov 12, 2014
The $99 Huawei Ascend Y550, available through Vodafone, enters the budget market as one of the ...
4G smartphones: Microsoft's Lumia 830
Nov 7, 2014
Microsoft has announced its flagship Windows Phone, the Nokia Lumia 830 4G, will be available in ...
Do you direct debit customers? Read this
Oct 10, 2014
Authorities have been targeting direct debit practices with iiNet and Dodo receiving formal ...
Optus expands 4G coverage
Oct 10, 2014
If you rely on an Optus phone for work you might be interested to know that there are now 200 ...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  39%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  7%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 813

Vote