Search for blog posts, documentation, or pages

Charlie Miller and I will be presenting on Android’s Bouncer this week at the SummerCon conference and demonstrating how Bouncer can be bypassed to slip malicious apps into the Android Market. This screencast shows our submitted app handing us a connect-back shell on the Bouncer infrastructure so that we can explore and fingerprint its environment.

While Bouncer may be unable to catch sophisticated malware from knowledgeable adversaries currently, we’re confident that Google will continue to improve and evolve its capabilities. We’ve been in touch with the Android security team and will be working with them to address some of the problems we’ve discovered.

We hope you’ll be able to make it out to SummerCon to see our presentation live! Feel free to comment below if you have any questions about the video or our presentation.

Transcript

Hey everyone, Jon Oberheide here, with some more mobile security fun. My esteemed colleague, Dr. Charles Miller, and I will be presenting later this week at the SummerCon conference out in New York City, so we wanted to give you guys a quick preview of what we’ll be covering in our talk. The main topic of the presentation is Android’s Bouncer. Bouncer is a system Google recently put in place to prevent malicious apps from getting into the Android Market. While it shouldn’t be a big surprise that Bouncer can be bypassed, we’ll show quite a few ways one can do so. So in this quick screencast, we wanted to demonstrate one of those ways. So in this screencast, we’re going to submit an application to the Android Market and get a connect-back shell on the Bouncer instance when it attempts its runtime dynamic analysis of our mobile application. This allows us to explore the Bouncer environment with an interactive remote shell. So first, we’re going to upload our new malicious APK to the Android Market, using one of our fake Android Market accounts. We’ll fast forward about five minutes to avoid boring you to death waiting for the connect-back. We received the callback and now have a remote interactive shell running on the emulated Android device hosted by Bouncer. We can poke around the system using our shell to look for interesting attributes of the Bouncer environment such as the version of the kernel its running, the contents of the filesystem, or information about some of the devices emulated by the Bouncer environment. If we look in the /sys directory, we immediately notice the qemu_trace directory, exposing the fact that our app is running within Bouncer’s qemu-based emulated environment. So this is just one technique to fingerprint the Bouncer environment, allowing a malicious app to appear benign when run within Bouncer, and yet still perform malicious activities when run on a real user’s device. Of course our presentation will cover this in much more detail so we hope that you’ll make it out to SummerCon this week in New York City. If you can’t make it out we’ll likely be posting the full presentation materials soon after the event. And last but not least, there will be pinatas!
@jonoberheide

Jon Oberheide
Co-Founder and CTO

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.

Categories

Free Guide

Security for an Age of Zero Trust

Think your organization is ready for the cloud and decentralized security? Download this white paper to learn why you may not be.

Tags

phishing (20)  security news (17)  healthcare security (15)  two-factor-authentication (15)  passwords (15)  weekly ink (13)  federal cybersecurity (10)  malware (10)  cloud security (9)  infosec-evolution (9)  banking security (8)  rsac2015 (8)  retail data breaches (8)  stolen-passwords (7)  data breaches (7)  financial data breach (7)  duo mobile (7)  financial institutions (6)  2fa (6)  stolen credentials (6)  pci dss (6)  ooba (6)  webinar (5)  encryption (5)  transaction-level 2fa (5)  mobile security (5)  atms (5)  remote access security (5)  vulnerability (4)  financial data security (4)  security threats (4)  medical identity theft (4)  retail data security (4)  bank security (4)  healthit (4)  hipaa (4)  remote access attacks (4)  data breach notification (4)  retail (4)  2-factor-authentication (4)  platform edition (4)  pos malware (4)  rig exploit kit (4)  defcon-23 (4)  healthcare cybersecurity (4)  google (4)  blackhat 2015 (4)  third-party security (4)  security research (3)  duo-security-summit (3)  defense in depth (3)  e-prescriptions (3)  home depot (3)  anthem (3)  defcon (3)  otp bypass (3)  payment card breach (3)  media security (3)  critical infrastructure security (3)  law firm security (3)  ffiec (3)  twitter (3)  retail data risks (3)  car security (3)  ssl (3)  manufacturing security (3)  retail ebook (3)  health it (3)  iot security (3)  uk security (3)  end-user authentication (3)  target (3)  social engineering (3)  hipaa security rule (3)  higher education (3)  two-factor (3)  dyre trojan (3)  strong-authentication (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.