Google's announcement in February of its Bouncer tool for the Android Market was like a dare to the security research community. Who would break or bypass it first?
Everything we're doing is legitimate and allowed by Google from a developer standpoint. This is an oversight in their security they're applying to applications being approved.
Nicholas Percoco,
head of Trustwave SpiderLabs
Bouncer is a malware scanner that checks Android app security for existing applications, new apps submitted for inclusion into the app store, and apps on developer accounts. It didn't take long for researchers' curiosity to be piqued about the tool, and in short order, Bouncer fell. At the recent SummerCon, researchers Charlie Miller and Jon Oberheide demonstrated a technique where they were able to bypass Bouncer's scanning capabilities and successfully place malicious apps into the market which has since been renamed Google Play.
The assault on Bouncer will continue next week at Black Hat 2012 where two researchers from Trustwave will describe how they were able to bypass Bouncer with a malicious app without hacking into the tool.
Android, written on Linux, is open source and a favorite target of attackers and researchers; this week, Trend Micro reported there were 25,000 malware samples in the wild targeting Android. Couple its open nature with the fact that Android smartphones have the largest market share, according to Gartner numbers released this week (56.1% and 81.1 million devices), and there's plenty of cause for consternation.
Mobile security watchers, in fact, will have all eyes focused on Black Hat where research not only on Android will be showcased, but also Near Field Communication (NFC), baseband hacking, weaknesses in carrier networks and iOS security issues.
The Bouncer talk, however, could prove the most pressing issue for enterprises worried about mobile device security and employees bringing their own devices onto corporate networks. The technique to be described by Trustwave's Nicholas Percoco, head of the company's SpiderLabs research team, and Sean Schulte, developer for Trustwave SSL, will not only affect Google Play, but also private app stores in development by enterprises and government agencies, Percoco said.
"The technique we're going to talk about, even if you were to do a manual or code review, it's likely you would not identify the application as malicious," Percoco said. "We discovered a method we used to bypass the tool and have Bouncer look at an application and think it's benign, but it's really malicious."
Percoco and Schulte began their research shortly after Bouncer was announced. Curious about Bouncer's effectiveness, Percoco said the two built a benign SMS-blocking application that would allow the user to specify a phone number from which to block text messages. The researchers signed up for a developer account with Google, submitted the application for review and had it accepted for inclusion into Google Play. Percoco said they monitored what happened throughout the process and then incrementally added malicious functionality to the application and waited for Google to give the app the boot. Never happened.
"We tried to make the app more malicious over time. The version that was allowed and published had the full capability to steal all photos, contacts, SMS records, phone records and details about the phone," Percoco said. "We had the ability to tell the phone to open webpages we controlled and launch a denial-of-service attack against a site we specified."
Percoco's app had the capability of building a full-fledged mobile botnet; the two also built a command-and-control system to manage any compromised devices, he said.
Percoco said he was the only person to buy and download his application while it was on Google Play. They priced the app at $49.95, an exorbitant price compared to other similar applications available for $2. He said they also monitored activity on the application around the clock, and had it been downloaded, they would have disabled the app.
Percoco said Bouncer is effective at spotting blatantly obvious malicious applications just trying to slip past the automated scanner, but "for the malware writer who sees Bouncer as an obstacle and wants to beat it at its own game, it's beatable," he said.
Percoco said their technique is about beating the gatekeeper at its own game, unlike Miller and Oberheide who tried to get shell access to Bouncer. Miller and Oberheide were able to access Bouncer's innards and learn Bouncer tested applications in a virtual phone, so they designed their mobile app to detect the virtual environment and lie dormant until the testing was done. There were other characteristics common to Bouncer, such as the tool being registered to a particular Gmail account and having stored the same two JPG files.
"We wanted to use all the tools Google supplied to us and did not want to exploit Bouncer to get past it," Percoco said. "Everything we're doing is legitimate and allowed by Google from a developer standpoint. This is an oversight in the security they're applying to applications being approved."
Google has been informed of both Percoco's and Schulte's, and Miller's and Oberheide's research, and acknowledged the issues and promised to improve the tool going forward, Percoco said.
Research on NFC, Baseband processors and iOS security
Miller is on the docket at Black Hat for next week as well, presenting new research on Near Field Communication. Miller's talk will explain a technique where an attacker can compromise an entire device without interaction from a user.
The technique we're going to talk about, even if you were to do a manual or code review, it's likely you would not identify the application as malicious.
Nicholas Percoco,
head of Trustwave SpiderLabs
Black Hat mobile track chairman Vincenzo Iozzo, director of vulnerability intelligence at New York City-based Trail of Bits Inc., said this year's mobile sessions move beyond the security issues common to both the desktop and mobile device. "The idea behind the track is not to focus on application-level stuff; that's been done and we know there are bugs that can be exploited," Iozzo said. "We want to see what's different.â€
Ralf-Philipp Weinmann, research associate at the Interdisciplinary Centre for Security, Reliability and Trust at the University of Luxembourg, will do a talk on baseband attacks, a dangerous new attack vector for mobile devices. Baseband processors, separate from the mobile OS processor, implement the GSM or 3G stack on a device. All phone calls and data first pass through the baseband, which gives the OS processor necessary information to proceed. Iozzo said an attacker compromising the baseband would have a huge advantage because no forensic tools exist for that layer. More interesting still, past exploits required an expensive base station and proximity to a device to succeed; not always a feasible situation. Weinmann's attack can be carried out remotely, Iozzo said.
Collin Mulliner, a researcher at Technische Universitaet Berlin and Deutsche Telekom Laboratories, will present his research on carrier networks and what types of devices and data live on those networks unsecured, such as security cameras and smart grid management interfaces.
"My take for [the track] was that we should really try to change the way we think about mobile," Iozzo said. "I do not like to compare it to a smaller desktop and be worried about exploits, but be more focused on what's unique about mobile that we don't see on the desktop."