Warnings over ability to 'Trojanise' Android apps
Warnings over ability to 'Trojanise' Android apps

Two researchers demonstrated how they were able to push a malicious information-stealing app onto Google Play, even while Google's Bouncer custom malware scanner was watching.

Trustwave SpiderLabs head Nicholas Percoco and Sean Schulte, a backend SSL services developer at Trustwave, said that they circumvented Bouncer with a JavaScript trick that transformed a benign Android app into a malicious one on Google Play.

Speaking at the Black Hat security conference in Las Vegas, the pair said that they had developed a benevolent app called ‘SMS Bloxer' that looked like other SMS blocker apps on the market. In order to ensure regular users didn't accidentally download the app, Trustwave also priced it at $49.95, in stark contrast to similar apps, which were usually £2 or less or free.

SMS Bloxer lived on Google Play for two weeks and didn't get flagged by Bouncer for that entire period of time. At its worst, the app was capable of stealing contacts, SMS messages and photos and it was able to harvest information about the device or force a web page to load. The researchers said that it could also launch a denial-of-service attack.

Percoco said: “We wanted to test the bounds of what it's capable of.”

He said the benign app reported back to Trustwave whenever it was executed, and made it past Bouncer and onto Google Play. The team had determined Bouncer's IP address by this time and modified the test app to act maliciously only if it was executed outside Bouncer.

To avoid detection the team used the JavaScript bridge, a ‘legitimate' workaround supported by Android, which allowed the developers to remotely add new features to a program using JavaScript, or change the look and feel of an app by modifying the HTML without having to go back through the entire app approval or update process.

Trustwave used the JavaScript bridge to add increasingly malicious capabilities to the app. Bouncer scanned the app repeatedly, but never noticed the new malicious features. Percoco said that only when the team tweaked the app to execute every second did Bouncer notice it and suspend the developer account.

Trustwave shared its findings with Google, and Percoco said the company was a "great organisation to work with".