Android Malware Scanner Falls Short

By | Jun 14, 2012

Bouncer, the Android malware scanner that checks uploaded apps, got bounced itself by security researchers who have found a way to bypass it. Google developed Bouncer to scan apps submitted to Google Play (formerly Android Store). The apps are tested for malicious behavior in an emulated Android environment, but malware can detect the emulation and play mum.

For the IT community, it is a reminder that Android's flexibility comes at a cost, a relatively wide-open environment. But the factors that limit Bouncer are not particular to Android. Similar limitations could affect the measures Apple uses to protect the App Store and iOS devices. The mobile app environment as a whole poses security challenges due simply to the sheer number of small apps out there.

Sneaking Into the Club

As Lucius Constantin reports at Computerworld, two security researchers have come up with multiple ways to get Android malware past Bouncer. Jon Oberheide and Charlie Miller have reported their findings to Android's security team. There is no indication that malware apps have been slipping past Bouncer--only that it is possible to do so. But the researchers caution that a comprehensive fix may be hard to come by.

Bouncer, like other mobile-app security scanners, operates by running apps in an Android emulator running on another machine. The app's behavior can then be safely tested and monitored.

The catch is that emulated environments have characteristics that a malware app can detect and "fingerprint." The malware can then avoid detection by suppressing its malicious exploits when run in the emulator. Only when run in an actual Android device does the malware go active.

False Positives

The largely unrestricted Android ecosystem undoubtedly makes such tricks somewhat easier, as compared to the "walled garden" of the Apple App Store. Android apps generally receive less scrutiny than do iOS apps.

But the underlying problem is inherent in the mobile-app ecosystem, specifically the enormous number of apps being offered for casual users. In testing candidate apps, scanners such as Bouncer need to be calibrated so as to avoid generating large numbers "false positives"--malware red flags for apps that are in fact innocent.

Too many false positives and resulting rejections of legitimate apps would dissuade developers. But calibrating to avoid false positives will inevitably let some malware slip through.

For IT managers at midsized firms, this is one more reason to be wary of bring-your-own-device (BYOD), allowing the mobile app ecosystem to gain a foothold in IT. But this seems unavoidable, and IT will have to use its own layers of protection to guard against malicious mobile apps.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...