Search for blog posts, documentation, or pages

Charlie Miller and I will be presenting on Android’s Bouncer this week at the SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market. This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment.

While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.

We hope you’ll be able to make it out to SummerCon to see our presentation live! Feel free to comment below if you have any questions about the video or our presentation.


Hey everyone, Jon Oberheide here, with some more mobile security fun. My esteemed colleague, Dr. Charles Miller, and I will be presenting later this week at the SummerCon conference out in New York City, so we wanted to give you guys a quick preview of what we’ll be covering in our talk. The main topic of the presentation is Android’s Bouncer. Bouncer is a system Google recently put in place to prevent malicious apps from getting into the Android Market. While it shouldn’t be a big surprise that Bouncer can be bypassed, we’ll show quite a few ways one can do so. So in this quick screencast, we wanted to demonstrate one of those ways. So in this screencast, we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell. So first, we’re going to upload our new malicious APK to the Android Market, using one of our fake Android Market accounts. We’ll fast forward about five minutes to avoid boring you to death waiting for the connect-back. We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment. If we look in the /sys directory, we immediately notice the qemu_trace directory, exposing the fact that our app is running within Bouncer’s qemu-based emulated environment. So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device. Of course our presentation will cover this in much more detail so we hope that you’ll make it out to SummerCon this week in New York City. If you can’t make it out we’ll likely be posting the full presentation materials soon after the event. And last but not least, there will be pinatas!

Jon Oberheide
Co-Founder and CTO

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.


Free Guide

Duo Securitys Guide to Securing Patient Data

With a significant rise in healthcare-related criminal attacks, the need for a new approach to securing patient data is greater than ever.


phishing (20)  two-factor-authentication (18)  security news (17)  healthcare security (16)  passwords (15)  weekly ink (13)  cloud security (12)  mobile security (11)  federal cybersecurity (10)  malware (10)  infosec-evolution (9)  rsac2015 (8)  banking security (8)  duo mobile (8)  retail data breaches (8)  stolen credentials (7)  financial data breach (7)  stolen-passwords (7)  data breaches (7)  financial institutions (6)  remote access security (6)  remote access attacks (6)  encryption (6)  pci dss (6)  ooba (6)  ios security (6)  2fa (6)  platform edition (5)  uk security (5)  webinar (5)  media security (5)  pos malware (5)  transaction-level 2fa (5)  atms (5)  higher education (5)  rig exploit kit (4)  security research (4)  third-party security (4)  hipaa (4)  data breach notification (4)  retail (4)  bank security (4)  ios (4)  healthcare cybersecurity (4)  2-factor-authentication (4)  vulnerability (4)  blackhat 2015 (4)  google (4)  healthit (4)  medical identity theft (4)  endpoint security (4)  defcon-23 (4)  retail data security (4)  security threats (4)  financial data security (4)  flash security (3)  retail data risks (3)  ssl (3)  critical infrastructure security (3)  social engineering (3)  manufacturing security (3)  law firm security (3)  otp bypass (3)  anthem (3)  out of band authentication (3)  cisco vpn (3)  duo-security-summit (3)  flash vulnerabilities (3)  ios vulnerabilities (3)  payment card breach (3)  target (3)  car security (3)  retail ebook (3)  health it (3)  windows security (3)  e-prescriptions (3)  byod (3)  home depot (3)  healthcare data breach (3)  strong-authentication (3)  stock market (3)  twitter (3)  defcon (3)  defense in depth (3)  outlook-web-app (3)  hipaa security rule (3)  two-factor (3)  iot security (3)  dyre trojan (3)  end-user authentication (3)  aws security (3)  ffiec (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.