See all pictures here »
Two researchers demonstrated how they were able to push a malicious information-stealing app onto Google Play, even while Google's Bouncer custom malware scanner is watching.
Nicholas Percoco and Sean Schulte of Trustwave Spider Labs developed a benevolent app called “SMS Bloxer,” which looked like other SMS blocker apps on the market.
In order to ensure regular users didn't accidentally download the app, Trustwave also priced it at $49.95, in stark contrast to similar apps, which were usually $2 or less, or free.
SMS Bloxer lived on Google Play for two weeks and didn't get flagged by Bouncer for that entire period of time. At its worst, the app was capable of stealing contacts, SMS messages, and photos.
It could harvest information about the device or force a web page to load, the researchers said. It could also launch a denial-of-service attack.
“Google never flagged it,” Percoco said.
The internet giant, recognising that malicious applications were becoming a growing problem, introduced Bouncer in February.
Google must have realized reacting was a losing battle and some kind of app review was needed, hence Bouncer, Schulte said. There wasn't a lot of information available publicly about the technology or how it worked, which piqued Trustwave's curiosity, Percoco said.
“We wanted to test the bounds of what it's capable of," Percoco said.
The team created a benign app that just reported back to Trustwave whenever it was executed, and made it past Bouncer and onto Google Play. The team had determined Bouncer's IP address by this time, and modified the test app to act maliciously only if it was executed outside Bouncer.
Trustwave shared its findings with Google, and Percoco said the company was a “great organization to work with." A Google spokesperson could not be reached for comment by SCMagazine.com.
This article originally appeared at scmagazineus.com
Copyright © SC Magazine, US edition
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.