You are viewing this article in the archives. For the latest breaking news and updates in Ann Arbor and the surrounding area, see
Posted on Sat, Jun 9, 2012 : 5:58 a.m.

Founder of Ann Arbor company Duo Security outwits Google's Bouncer program

By Ben Freed

There is a war within the world of technology. Internet security teams, hackers, and developers of malicious software ("malware") have been duking it out ever since the Internet was in its developmental stages.

Some cyber battles are waged between countries, as has been seen in the news recently with the Flame and Stuxnet viruses. Others are designed to target consumers. They generally infect computers, stealing information, sending false emails, or causing malfunctions, even complete shutdowns.

And they affect smartphones.

Google has been criticized publically for the amount of malware in the Android Google Play store. In response, Google released the "Bouncer" program in February.

Bouncer was designed to screen applications by virtually "running" them to determine if they showed signs of attempting to steal or manipulate information.

"This is not just a problem with Google, it's not just a problem with phones, this is a problem that we have across all fields of malware analysis," said Jon Oberheide, co-founder and Chief Technical Officer of Ann Arbor-based Duo Security.

"Bouncer is sort of like a gatekeeper. If it catches an app behaving badly it can simply bounce it out before it gets to the market."

Rather than running the application on a physical phone, Bouncer simply mimics on a computer what the application would experience if it were run on a phone. However, like most knock-offs, Bouncer’s imitation is not perfect.


Jon Oberheide and Charlie Miller are working with Google to help them tighten security for Android apps

Angela Cesere |

Oberheide and Charlie Miller, a principal research consultant at Accuvant LABS, were able to isolate certain characteristics of Bouncer that allowed them to create malware that could recognize when it was being run by Bouncer or an actual phone.

During the Bouncer "test," the software would function normally. However, when it was run in a real phone the software could attack.

Oberheide presented his findings with Miller at the SummerCon technology conference on Friday in New York City. The pair showed the conference how they were able to design malware that "hacked" Bouncer.

"The fact that we were able to bypass Bouncer is not a huge surprise to those in the field. Fighting malware is a never-ending battle," Oberheide said. "Google will continue to improve their defenses and virus developers will continue to try to find their way around it."

Google has a vulnerability bounty program to pay security experts for exposing problems with their code. However, Android is not currently within the scope of the reward program, so Oberheide and Miller will not be directly compensated for their findings. However, the publicity created by their findings certainly helps.

"Publicity generated by our technical research is a boon to the company," Oberheide said. "People discover Duo through our thought leadership in the security space and put trust in our abilitiy [to secure their systems]."

Duo Security helps companies use mobile phones for transaction verification in order to make Internet and cloud-based data more secure. The company has grown rapidly in the past few months after a $5 million Series A investment led by Google Ventures in late February.

Malware can infect a smartphone as easily as a computer - sometimes more so. Programs can try to steal identities by taking sensitive information from phones including email passwords, banking information, or other stored personal information. They can also surreptitiously cause a phone to dial "premium" (or 1-900) numbers, with the price for the calls appearing on the monthly bill, and the money going directly to the makers of the software.

According to Oberheide, the likelihood of a regular smart phone user downloading malware is fairly low, as long as simple precautions are taken.

"If you're just downloading the popular apps for games or email, there's a very slim chance of you downloading malware," he said. "The problems occur when people just download anything and everything, or when you download programs from links in emails."

Below is a video in which Oberheide explains the methods he used to hack Bouncer. Warning: if you do not understand "techspeak" it might be over your head.

Ben Freed covers business for Reach him at 734-623-2528 or email him at Follow him on twitter @BFreedinA2


David Johnson

Sun, Jun 10, 2012 : 3:46 a.m.

Great article! Very informative and understandable. Kudos!


Sat, Jun 9, 2012 : 3:46 p.m.

The title of this article suggests Duo was doing something nefarious - "outwitting" Google, when, in fact, they were doing them a service!

Dug Song

Sat, Jun 9, 2012 : 3:07 p.m.

We are indeed growing quickly, with 3 of the top 10 social networks, and many banks, hospitals, enterprises, and universities among our 500+ customers, with users in over 80 countries. Check out our open positions at - we've tripled the team in the last 3 months!


Sun, Jun 10, 2012 : 1:11 p.m.

Good to see great solutions continue to pour out of Ann Arbor. As a use of Duo - I'm a fan of the solution.


Sat, Jun 9, 2012 : 12:53 p.m.

Here I thought that these guys were nice to stop this problem, now I find out that they want money for saving Android Phones! Greedy Capitalist! If we simply eliminated smart phones, we could stop these kinds of problems, save electricity, and save the planet!


Sat, Jun 9, 2012 : 12:13 p.m.

Kudos to the white hats. Without you guys we'd all just be blackhats by default. Developers would also never fix their vulnerabilities until it was far too late.