Skip the navigation

Google reveals Android malware 'Bouncer,' scans all apps

Claims 40% reduction in malicious app downloads in second half of 2011

February 3, 2012 07:25 AM ET

Computerworld - Google yesterday unveiled an automated system that scans Android apps for potential malware or unauthorized behavior, a move critics have long called the company to make.

The scanning service, appropriately codenamed "Bouncer," has been in action "a number of months," said Hiroshi Lockheimer, the vice president of engineering for Android, in an interview Thursday. "The interesting thing is that no one really noticed. It didn't disrupt the end user's experience [in the Android Market] or disrupt the developers. They didn't have to think about it at all."

Once an app is uploaded to Google by its developer but before it's published to the Android Market, Bouncer scans the code for known malware, including spyware and Trojan horses, and looks for behaviors that match apps which the company has previously decided are unacceptable.

Some apps that sound Bouncer's alarm are immediately denied entrance to the Android Market, said Lockheimer. Others are flagged for human review.

Bouncer also features a simulator that runs each app as if it was on an actual Android phone, said Lockheimer. "We can observe the application for hidden behavior, and then flag it for review if it's questionable," he said.

Google also has the ability to recheck already-published apps as it adds more detection and analytical skills to Bouncer. "As our knowledge of bad apps increases and we become aware [of new malware], we feed that into the system and rescan everything in the catalog," Lockheimer said.

Critics in the security industry have called on Google to proactively scan Android apps for potential malware, rather than wait until unacceptable or infected apps are reported by users or researchers.

"This is absolutely a good move," said Chet Wisniewski, a security researcher at U.K.-based vendor Sophos. "Bouncer clearly makes sense. [But] most Android users would be surprised that they weren't already doing this."

Lockheimer denied that Bouncer was a reaction to any single security incident, including the appearance of the first Android Trojan horse: In March 2011, Google yanked more than 50 DroidDream-infected apps from the Android Market, and within days used its "kill switch" for only the second time to remotely erase the programs from users' smartphones.

Instead, Lockheimer said, Bouncer was an evolution of Google's security philosophy.

"Bouncer wasn't in response to any one thing," Lockheimer said. "Security is important to Android, that's always been a theme of ours."

But Android malware played a prominent role in security news last year. Following the first DroidDream campaign, attackers launched planted more infected apps on the Market last June and July. Malicious apps have also regularly popped up on third-party download sites, which Google doesn't regulate, especially in China.

Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!