After loading a legitimate Android app onto Google Play, researchers were able to update it with malicious functionality without triggering the malware detection system. Whoops.

Security researchers testing Google's Bouncer malware detection system for Android apps have managed to submit a benign app and then slowly update it to add malicious functionality, one of the researchers told CNET today.

Nicholas Percoco, head of Trustwave's SpiderLabs, and colleague Sean Schulte will be discussing their research during a session at Black Hat and Defcon next week in Las Vegas entitled "Adventures in Bouncerland."

After Google launched its Bouncer system to protect apps in the Google Play Android market in February, the researchers wanted to see if they could turn a good app that was already in the system into something malicious without triggering the Bouncer malware alarm system. They succeeded.

First they created an app that was designed to allow users to block text messages from specific individuals, known as an SMS blocker. Once the app was in the market and available for public download, the researchers updated it 11 times to add additional functionality that was totally unrelated to blocking text messages. None of the updates triggered Bouncer because the researchers used a cloaking method that masked the functionality changes from Bouncer, Percoco said. "We used a technique that allowed us to pull a blindfold over Bouncer," he said.

So their app, which they are refusing to identify until next week, started off as a simple SMS blocker and was updated incrementally to access all sorts of data on the device and even to turn the phone into a zombie for use in Distributed Denial-of-Service (DDoS) attacks.

"The last version we had in the store allowed us to steal all end user photos, contacts, phone records, SMS messages, and we can hijack a person's device" and direct the device to visit a malicious Web site, Percoco said. "The last functionality in there allowed us to define a location for the mobile device to go and launch a DDoS against a target."

Eventually, the researchers updated the app and removed the technology that had hidden the malicious functionality. At that point, Bouncer detected it as malicious and pulled it from the market.

Percoco will demonstrate in his talk how the app still residing on his test Android device steals information from the phone and can be used to launch a DDoS on a test Web site. The app was only downloaded onto this one device because he priced the app much higher than all the other many SMS blockers on the market, he said.

If other developers learn this masking trick we could see other Android apps go Mr. Hyde on us. "You now have trusted apps that could some day in the future decide to become malicious," Percoco said. "We need more granular permissions and controls that are mapped and pushed down to end user devices."

The researchers have contacted Google and will be meeting with Android researchers at the security conferences next week to discuss the issue, according to Percoco.

A Google spokeswoman said the company did not have comment on this matter.

martyns303: just what i need, please no intentions of derailing this topic but i've got a situation that is related and with this being on front page maybe i can get my answer, i installed an app on my friends samsung galaxy tab (air navigation pro) it worked fine, but when i tried installing it on mine it gives an error message that reads "problem parsing package....", guys please if anyone can help, would appreciate it. cheers.

jude33084: [font=Lucida Sans Unicode]

samfibby: Why do they have to make this public, now hackers would shift attention to these devices.

kelvinnn: What else do you expect, that is one of the setback of an open source os!!

jude33084: [font=Lucida Sans Unicode]

kenraj: I have an HTC HD2 which fell off and the screen got broken, i continued using the touch screen with that until suddenly it stops working. I brought it down with me to (ja recently and gave it 2 sum1 @ computer village but he s yet 2 get fixed..Am really worried cos i need to get some info and contacts on the phone even though it should not work again...Pls i need your help on who can help with it...You can call me on my mobile if you got any assistance for me- 08030638084

omoajiri: Please does any1 here know how I can deactivate MTN BIS subscription from my MTN line. I called mtn's customer care line to no avail.
Thanks