Bouncer is a security measure created by Google that actively scans apps that are uploaded to the Play Store, and apps that are already being hosted. Bouncer actively compares apps to previous definitions of malware to find any red flags within the app. Unfortunately, just like any other tool, Bouncer is not flawless. Bouncer can be "fingerprinted," and malicious apps can perform certain evasive measures to ensure that they will not be identified. There are several commonly employed methods to avoid detection, such as waiting for commands from a CnC server before injecting the malicious content, waiting a predetermined number of hours before any ads or attacks are placed, or even comparing the environment to a database of known Bouncer identifiers or qualities.
This new adware is a little different though, as stated above. On first launch, the app will gather the network information about the device (by way of the android.permission.INTERNET and android,permission.ACCESS_NETWORK_STATE permissions), and then perform a WHOIS IP lookup on the contracted information. If the WHOIS returns any string with "Google", the application will carry on, business as usual. If not, it assumes that it's being run on a users device, and starts to deal out ads. AdDisplay will also "prompt" the user to enable setting X, while creating an overlay over the "Grant Device Administrator" page within settings, tricking you into granting admin rights, and making removal a little more difficult.
*ESET has already informed Google of this, and Google has promptly removed the offending applications. This is just another example of why you should always know what you're installing, and should avoid applications that ask for unnecessary permissions, have several reviews questioning the authenticity of the app, and should always keep a cautious eye when searching for new software.
* Image courtesy of this article.
No comments:
Post a Comment