Search for blog posts, documentation, or pages

Charlie Miller and I will be presenting on Android’s Bouncer this week at the SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market. This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment.

While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.

We hope you’ll be able to make it out to SummerCon to see our presentation live! Feel free to comment below if you have any questions about the video or our presentation.


Hey everyone, Jon Oberheide here, with some more mobile security fun. My esteemed colleague, Dr. Charles Miller, and I will be presenting later this week at the SummerCon conference out in New York City, so we wanted to give you guys a quick preview of what we’ll be covering in our talk. The main topic of the presentation is Android’s Bouncer. Bouncer is a system Google recently put in place to prevent malicious apps from getting into the Android Market. While it shouldn’t be a big surprise that Bouncer can be bypassed, we’ll show quite a few ways one can do so. So in this quick screencast, we wanted to demonstrate one of those ways. So in this screencast, we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell. So first, we’re going to upload our new malicious APK to the Android Market, using one of our fake Android Market accounts. We’ll fast forward about five minutes to avoid boring you to death waiting for the connect-back. We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment. If we look in the /sys directory, we immediately notice the qemu_trace directory, exposing the fact that our app is running within Bouncer’s qemu-based emulated environment. So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device. Of course our presentation will cover this in much more detail so we hope that you’ll make it out to SummerCon this week in New York City. If you can’t make it out we’ll likely be posting the full presentation materials soon after the event. And last but not least, there will be pinatas!

Jon Oberheide
Co-Founder and CTO

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.


Free Guide

Two-Factor Authentication Evaluation Guide

This guide walks through some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.


phishing (20)  two-factor-authentication (18)  security news (17)  healthcare security (16)  passwords (15)  weekly ink (13)  cloud security (11)  mobile security (10)  federal cybersecurity (10)  malware (10)  infosec-evolution (9)  duo mobile (8)  retail data breaches (8)  rsac2015 (8)  banking security (8)  financial data breach (7)  stolen-passwords (7)  data breaches (7)  2fa (6)  pci dss (6)  stolen credentials (6)  financial institutions (6)  ooba (6)  webinar (5)  remote access security (5)  transaction-level 2fa (5)  atms (5)  encryption (5)  healthcare cybersecurity (5)  healthit (5)  platform edition (5)  ios security (5)  defcon-23 (4)  remote access attacks (4)  bank security (4)  data breach notification (4)  pos malware (4)  higher education (4)  blackhat 2015 (4)  google (4)  financial data security (4)  vulnerability (4)  medical identity theft (4)  rig exploit kit (4)  retail data security (4)  hipaa (4)  endpoint security (4)  third-party security (4)  retail (4)  2-factor-authentication (4)  security threats (4)  uk security (4)  defense in depth (3)  media security (3)  ffiec (3)  payment card breach (3)  health it (3)  out of band authentication (3)  law firm security (3)  ios (3)  retail data risks (3)  e-prescriptions (3)  otp bypass (3)  ssl (3)  car security (3)  security research (3)  critical infrastructure security (3)  dyre trojan (3)  end-user authentication (3)  strong-authentication (3)  iot security (3)  ehr (3)  target (3)  social engineering (3)  anthem (3)  defcon (3)  byod (3)  retail ebook (3)  manufacturing security (3)  home depot (3)  healthcare data breach (3)  duo-security-summit (3)  two-factor (3)  twitter (3)  hipaa security rule (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.