Founder of Ann Arbor company Duo Security outwits Google's Bouncer program
There is a war within the world of technology. Internet security teams, hackers, and developers of malicious software ("malware") have been duking it out ever since the Internet was in its developmental stages.
Some cyber battles are waged between countries, as has been seen in the news recently with the Flame and Stuxnet viruses. Others are designed to target consumers. They generally infect computers, stealing information, sending false emails, or causing malfunctions, even complete shutdowns.
And they affect smartphones.
Bouncer was designed to screen applications by virtually "running" them to determine if they showed signs of attempting to steal or manipulate information.
"This is not just a problem with Google, it's not just a problem with phones, this is a problem that we have across all fields of malware analysis," said Jon Oberheide, co-founder and Chief Technical Officer of Ann Arbor-based Duo Security.
"Bouncer is sort of like a gatekeeper. If it catches an app behaving badly it can simply bounce it out before it gets to the market."
Rather than running the application on a physical phone, Bouncer simply mimics on a computer what the application would experience if it were run on a phone. However, like most knock-offs, Bouncer’s imitation is not perfect.
Angela Cesere | AnnArbor.com
During the Bouncer "test," the software would function normally. However, when it was run in a real phone the software could attack.
Oberheide presented his findings with Miller at the SummerCon technology conference on Friday in New York City. The pair showed the conference how they were able to design malware that "hacked" Bouncer.
"The fact that we were able to bypass Bouncer is not a huge surprise to those in the field. Fighting malware is a never-ending battle," Oberheide said. "Google will continue to improve their defenses and virus developers will continue to try to find their way around it."
Google has a vulnerability bounty program to pay security experts for exposing problems with their code. However, Android is not currently within the scope of the reward program, so Oberheide and Miller will not be directly compensated for their findings. However, the publicity created by their findings certainly helps.
"Publicity generated by our technical research is a boon to the company," Oberheide said. "People discover Duo through our thought leadership in the security space and put trust in our abilitiy [to secure their systems]."
Duo Security helps companies use mobile phones for transaction verification in order to make Internet and cloud-based data more secure. The company has grown rapidly in the past few months after a $5 million Series A investment led by Google Ventures in late February.
Malware can infect a smartphone as easily as a computer - sometimes more so. Programs can try to steal identities by taking sensitive information from phones including email passwords, banking information, or other stored personal information. They can also surreptitiously cause a phone to dial "premium" (or 1-900) numbers, with the price for the calls appearing on the monthly bill, and the money going directly to the makers of the software.
According to Oberheide, the likelihood of a regular smart phone user downloading malware is fairly low, as long as simple precautions are taken.
"If you're just downloading the popular apps for games or email, there's a very slim chance of you downloading malware," he said. "The problems occur when people just download anything and everything, or when you download programs from links in emails."
Below is a video in which Oberheide explains the methods he used to hack Bouncer. Warning: if you do not understand "techspeak" it might be over your head.