You may, or may not have heard of a security tool Google deployed to Google Play (Formerly Android Market) to detect and remove apps with malicious code. The tool is called Google Bouncer. Google implemented Bouncer back in February of this year.
Well this week at Black Hat, the worlds biggest hacker convention in Las Vegas Nevada, a security firm called Trustwave will be demonstrating how they were able to circumvent Google Bouncer using a masking technique.
Trustwave proved to itself that its masking technique could get past Bouncer's detection by getting a malicious app it created into Google Play earlier this year, says Nicholas Percoco, senior vice president and head of Trustwave's SpiderLabs advanced security team. "We wanted to test the bounds of what it's capable of," he says, describing how Trustwave as a registered Android developer created an app called "SMS Blocker." When downloaded to a smartphone, the app would be able to steal contacts, SMS messages and photos, and basically know anything about the device. The app could also make the phone go to arbitrary Web pages or launch a denial-of-service attack. He says: "Google never flagged it."
Scary news to people already worried about malicious apps on the Android platform. It just goes to show you that nothing is bullet proof, and people need to be careful of the apps they download.
[Via Tech World]