Trustwave’s SpiderLabs To Expose Holes In Android’s Bouncer At Tomorrow’s Black Hat Conference

I smell a FUD storm a brewin’ and I’m sure Apple blogs will be foaming at the mouths in the next 24 hours. According to the security research firm SpiderLabs, they were able to submit an SMS app to the Google Play Store and then update it incrementally to turn it malicious without triggering Bouncer: Android’s malware detection system.

While it’s certainly important to expose any holes or exploits that do in fact exist, we must also be wary of those looking only to spread, well… fear, uncertainty, and doubt. According to SpiderLabs, they were able to submit a legitimate SMS blocking app and then update it 11 times in order to slowly add malicious functionality via a cloaking method.

“We used a technique that allowed us to pull a blindfold over Bouncer,” – Nicholas Percoco, head of Trustwave’s SpiderLabs.

Once fully updated, the app was capable of various malicious activity, according to Nicholas Percoco:

“The last version we had in the store allowed us to steal all end user photos, contacts, phone records, SMS messages, and we can hijack a person’s device” and direct the device to visit a malicious Web site, Percoco said. “The last functionality in there allowed us to define a location for the mobile device to go and launch a DDoS against a target.”

Percoco is saving most of the juicy details for tomorrow’s Black Hat security conference, and while I can’t wait to see what he reveals, I already have multiple issues with his claims.

First off, he bases his entire research off of an app that was only downloaded onto one of their test devices. No one other than the researchers over at SpiderLabs downloaded this app and it was in fact pulled from the Play Store after they supposedly removed the cloaking method.

So basically they uploaded an app, then they were the only ones out of the millions of Android users to download it (apparently due to the high price they were charging for the app), they were able to update it 11 times, add malicious functionality into it thanks to a cloaking method, steal their test device’s information, only to have it eventually flagged and removed from the Play Store by Google.

In a real world situation, users would have had to download this legitimate app, then agree to 11 updates (which would have all had to been labeled as bug fixes since no new functionality was added to the app), and after a few devices became affected, Google would have caught on and pulled the app.

So what are we really looking at? If all claims are true, we’re looking at Google needing to fix a hole in their Bouncer system that could have possibly allowed for a low percentage of Android users to temporarily become infected with malware.

I’m betting this mole hill becomes a mountain tomorrow, and while I do take security risks seriously, we must also come to the reality that no system is impervious to attacks, and this latest breach certainly doesn’t have me running for the hills. I feel completely safe using Android and have never had an issue with malware or security in the 3+ years I’ve been using Android.

If said hole exists in Google’s Bouncer system, I’m thankful to SpiderLabs for exposing it and providing the information needed for Google to patch it. Unfortunately, I know this is going to turn into a FUD campaign against Android, when the truth of the matter is that Google is doing a superb job at keeping malware out of the Play Store and off our devices.

So, it is what it is, and we’ll surely be hearing more about it tomorrow.