Google prides itself with Bouncer, the security measure they launched early this year to filter malicious apps on Google Play before they can be downloaded by Android users. If you’re an Android user, knowing this fact makes you feel secured that apps on Google Play will not bring harm to you or your Android device. But unfortunately, Bouncer is not flawless, as some malicious apps are still able to sneak past Google’s security checks.
Bouncer is flawed
In an interview with Forbes, security researchers Charlie Miller and Jon Oberheide discussed how Bouncer actually works and how malicious apps gets through security check.
Google doesn’t use actual phones to test apps that they think are sketchy, they use a virtual phone to test them out. And that’s where the problem begins. Some malicious apps are designed to test the waters before wreaking havoc. They check things out first to determine if they were downloaded on an actual phone by scanning the content of the phone. The problem with Google’s virtual phone is that it only contains one contact, Michelle K. Levin with an e-mail address of Michelle.firstname.lastname@example.org, and contains only two photos, one of a cat and then another of Lady Gaga. Google, you almost convinced me.
And that’s how Oberheide’s app, HelloNeon, designed to pull down new malicious codes once installed on a user’s phone, got into Google Play. And that’s just one of the ways to bypass Google’s security measure. At the Summercon conference in New York this week, Miller and Oberheide plans on presenting more methods to circumvent Bouncer. Click here to see the video of how Bouncer’s flaws were exposed.
“There are a thousand different ways to very accurately and sustainably fingerprint Bouncer,” says Oberheide. “Some are really hard to fix. Some can be fixed pretty easily. But in the long term game, the attackers have a major advantage.”
Though it may seem like the security measures on Google Play can be trusted, consumers shouldn’t take this as a cue to abandon their Android devices or stop downloading apps on Google’s Android market. If there are ways for an app to bypass security, surely, there’s a way for consumers to recognize if an app is malicious or not.
Here are some important tips to remember before downloading any mobile app:
- Trusted stores – okay this one is not entirely helpful since I’ve just discussed the Google Play is not completely malware free. But there’s an even bigger chance of getting malware from third party app stores than on Google Play. So stick to the legit app stores.
- Read – this may seem funny but it’s the one thing that people fail to do properly. Oftentimes, consumers are lured by the word FREE. Okay that’s fine, but read the rest of the app description. If you see FREE Sexy Baech Babes or Supre Fun Game – you’re probably downloading a malware. If you didn’t see anything wrong with those titles then you’re at risk. The titles were misspelled, take a look again.
- Popularity – check how many times the app has been downloaded and read the comments. See if there is substantial negative feedback, check how the app is rated. Usually, people who were duped by an app leave negative comments so watch out for that. And as a commenting system can be gamed, check multiple sources for app reviews, such as Google Play, Appolicious and Appbrain. Also check the blogosphere to see if an app has been reviewed, or if anyone’s posted warnings about the app, calling it out as a malicious download. And if you accidentally downloaded a malicious app, be kind and inform others so they won’t become victims as well.
- Developer check – check out who the developer is. If the developer is person and the name seems sketchy, better skip that app. The safe bet is on apps developed by large, well-known companies. Google Play actually highlights their top developers, similar to how Twitter verifies celebrity accounts. Also, you can visit the developer website before downloading in order to make sure that the company is legit. Do your research!
Some may think that it’s such a daunting task, researching things just for an app, but hey, it’s for your own good. Do you want the content of your device be available to hackers? Do you want your device to spread malware? Do you want unbelievably high phone or credit card bills? Those are just some of the things that could happen once a malicious malware gets in your device, so it’s up to you to decide.