Charlie Miller and I will be presenting on Android’s Bouncer this week at the SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market. This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment.

While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.

We hope you’ll be able to make it out to SummerCon to see our presentation live! Feel free to comment below if you have any questions about the video or our presentation.

Transcript

Hey everyone, Jon Oberheide here, with some more mobile security fun. My esteemed colleague, Dr. Charles Miller, and I will be presenting later this week at the SummerCon conference out in New York City, so we wanted to give you guys a quick preview of what we’ll be covering in our talk. The main topic of the presentation is Android’s Bouncer. Bouncer is a system Google recently put in place to prevent malicious apps from getting into the Android Market. While it shouldn’t be a big surprise that Bouncer can be bypassed, we’ll show quite a few ways one can do so. So in this quick screencast, we wanted to demonstrate one of those ways. So in this screencast, we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell. So first, we’re going to upload our new malicious APK to the Android Market, using one of our fake Android Market accounts. We’ll fast forward about five minutes to avoid boring you to death waiting for the connect-back. We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment. If we look in the /sys directory, we immediately notice the qemu_trace directory, exposing the fact that our app is running within Bouncer’s qemu-based emulated environment. So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device. Of course our presentation will cover this in much more detail so we hope that you’ll make it out to SummerCon this week in New York City. If you can’t make it out we’ll likely be posting the full presentation materials soon after the event. And last but not least, there will be pinatas!
@jonoberheide

Jon Oberheide
Co-Founder and CTO

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.

Categories

Free Guide

Ebook: A Modern Guide to Retail Data Risks

Avoiding Catastrophic Data Breaches in the Retail Industry

Tags

phishing (16)  two-factor-authentication (15)  passwords (13)  healthcare security (12)  infosec-evolution (9)  cloud security (8)  security news (8)  malware (7)  banking security (7)  financial data breach (6)  ooba (6)  financial institutions (6)  atms (5)  retail data breaches (5)  federal cybersecurity (5)  encryption (5)  2fa (5)  transaction-level 2fa (5)  stolen credentials (5)  webinar (5)  stolen-passwords (5)  retail (4)  healthcare cybersecurity (4)  data breaches (4)  bank security (4)  pci dss (4)  data breach notification (4)  weekly ink (4)  healthit (4)  hipaa (4)  health it (3)  target (3)  rig exploit kit (3)  anthem (3)  strong-authentication (3)  otp bypass (3)  critical infrastructure security (3)  third-party security (3)  vulnerability (3)  twitter (3)  medical devices (3)  defense in depth (3)  manufacturing security (3)  retail ebook (3)  home depot (3)  remote access security (3)  two-factor (3)  pos malware (3)  iot security (3)  mobile security (3)  e-prescriptions (3)  hipaa security rule (3) 

Duo is hiring!

View our open positions

Follow Us

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.