Charlie Miller and I will be presenting on Android’s Bouncer this week at the SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market. This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment.

While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.

We hope you’ll be able to make it out to SummerCon to see our presentation live! Feel free to comment below if you have any questions about the video or our presentation.

Transcript

Hey everyone, Jon Oberheide here, with some more mobile security fun. My esteemed colleague, Dr. Charles Miller, and I will be presenting later this week at the SummerCon conference out in New York City, so we wanted to give you guys a quick preview of what we’ll be covering in our talk. The main topic of the presentation is Android’s Bouncer. Bouncer is a system Google recently put in place to prevent malicious apps from getting into the Android Market. While it shouldn’t be a big surprise that Bouncer can be bypassed, we’ll show quite a few ways one can do so. So in this quick screencast, we wanted to demonstrate one of those ways. So in this screencast, we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell. So first, we’re going to upload our new malicious APK to the Android Market, using one of our fake Android Market accounts. We’ll fast forward about five minutes to avoid boring you to death waiting for the connect-back. We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment. If we look in the /sys directory, we immediately notice the qemu_trace directory, exposing the fact that our app is running within Bouncer’s qemu-based emulated environment. So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device. Of course our presentation will cover this in much more detail so we hope that you’ll make it out to SummerCon this week in New York City. If you can’t make it out we’ll likely be posting the full presentation materials soon after the event. And last but not least, there will be pinatas!
@jonoberheide

Jon Oberheide
Co-Founder and CTO

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.

Categories

Free Guide

Duo Securitys Guide to Securing Patient Data

With a significant rise in healthcare-related criminal attacks, the need for a new approach to securing patient data is greater than ever.

Tags

phishing (16)  two-factor-authentication (15)  passwords (13)  healthcare security (12)  cloud security (8)  malware (7)  financial data breach (6)  ooba (6)  federal cybersecurity (5)  financial institutions (5)  transaction-level 2fa (5)  stolen-passwords (5)  atms (5)  2fa (5)  retail data breaches (5)  security news (5)  encryption (5)  webinar (5)  pci dss (4)  healthcare cybersecurity (4)  data breaches (4)  data breach notification (4)  banking security (4)  hipaa (4)  retail (4)  stolen credentials (4)  bank security (4)  healthit (4)  otp bypass (3)  twitter (3)  e-prescriptions (3)  pos malware (3)  defense in depth (3)  anthem (3)  home depot (3)  hipaa security rule (3)  manufacturing security (3)  critical infrastructure security (3)  two-factor (3)  strong-authentication (3)  remote access security (3)  medical devices (3)  iot security (3)  health it (3)  third-party security (3)  target (3)  retail ebook (3)  vulnerability (3)  mobile security (3)  rig exploit kit (3) 

Duo is hiring!

View our open positions

Follow Us

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.