back to article Researchers hide malware from Google Bouncer

Google’s Bouncer malware detection system might not be as strong as the Chocolate Factory hopes, with a pair of security researchers demonstrating flaws in the system. Duo Security’s Jon Oberheide and Charlie Miller, preparing a presentation for this week’s SummerCon in Brooklyn, have demonstrated that it’s possible to slip a …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Sadly when something becomes so popular there are those than want to exploit it.

    I would love to see a system, whereby it remains open source but the apps themselves are individually walled away from the operation system so that they cannot access anything but themselves.

    Would this mean an Apploid or andrapple OS?

    I think I'm at risk of being taken away by the men is white coats.

    1. Richard 12 Silver badge

      The problem with such walls is that they need holes

      Say you write a picture-munging application. It clearly needs to be able to read the pictures already on the phone as well as take photos with the camera, and it needs to save the results back to the picture gallery.

      Equivalent examples exist for a lot of things.

      The obvious solution is for more granularity in permissions - you may see my picture collection but not my sounds library etc.

      More importantly, we need the ability to deny a particular permission to the application, eg It gets an empty and volatile persistent storage.

    2. Dan 55 Silver badge

      It's been invented before

      It's called Symbian, but apparently it's yesterday's mobile OS.

    3. Mike Judge

      android already does this

      " Because Android sandboxes applications from each other, applications must explicitly share resources and data. They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox"

      Anything you shove on the sdcard however is fair game....

      as for bouncer, and it will be trivial for Google to fingerprint apps to see if they, are trying to work out if they are running in the emulator, or indeed remove the qemu reference from the vm.

      Either way, and I would expect this not to work by the time they try and demo it...

      1. Richard 12 Silver badge

        Re: android already does this

        Not really. Inter-application communication has very tight granularity, but application-to-phone permissions are still quite big buckets:

        It's a little odd as there are a few very fine-grained permissions, while most are very large buckets. eg location info has several different permissions, while others let the app do pretty much whatever it wants to "X".

        It's still not possible to deny an application a permission while still running it, or alter permissions after installation - for example, almost every social network app seems to want GPS location. What if I don't want it to have my location but am happy for everything else?

        Or even more common, I'm happy for it to use the Internet but not for it to use my phone or SMS/MMS. When abroad it's easy to kill Internet, but not possible to kill phone/SMS/MMS.

  2. mdc

    Missed Opportunity

    Joe & Charlie vs The Chocolate Factory?

This topic is closed for new posts.

Other stories you might like