Google reveals Android malware 'Bouncer,' scans all apps

Claims 40% reduction in malicious app downloads in second half of 2011

Google yesterday unveiled an automated system that scans Android apps for potential malware or unauthorized behavior, a move critics have long called the company to make.

The scanning service, appropriately codenamed "Bouncer," has been in action "a number of months," said Hiroshi Lockheimer, the vice president of engineering for Android, in an interview Thursday. "The interesting thing is that no one really noticed. It didn't disrupt the end user's experience [in the Android Market] or disrupt the developers. They didn't have to think about it at all."

Once an app is uploaded to Google by its developer but before it's published to the Android Market, Bouncer scans the code for known malware, including spyware and Trojan horses, and looks for behaviors that match apps which the company has previously decided are unacceptable.

Some apps that sound Bouncer's alarm are immediately denied entrance to the Android Market, said Lockheimer. Others are flagged for human review.

Bouncer also features a simulator that runs each app as if it was on an actual Android phone, said Lockheimer. "We can observe the application for hidden behavior, and then flag it for review if it's questionable," he said.

Google also has the ability to recheck already-published apps as it adds more detection and analytical skills to Bouncer. "As our knowledge of bad apps increases and we become aware [of new malware], we feed that into the system and rescan everything in the catalog," Lockheimer said.

Critics in the security industry have called on Google to proactively scan Android apps for potential malware, rather than wait until unacceptable or infected apps are reported by users or researchers.

"This is absolutely a good move," said Chet Wisniewski, a security researcher at U.K.-based vendor Sophos. "Bouncer clearly makes sense. [But] most Android users would be surprised that they weren't already doing this."

Lockheimer denied that Bouncer was a reaction to any single security incident, including the appearance of the first Android Trojan horse: In March 2011, Google yanked more than 50 DroidDream-infected apps from the Android Market, and within days used its "kill switch" for only the second time to remotely erase the programs from users' smartphones.

Instead, Lockheimer said, Bouncer was an evolution of Google's security philosophy.

"Bouncer wasn't in response to any one thing," Lockheimer said. "Security is important to Android, that's always been a theme of ours."

But Android malware played a prominent role in security news last year. Following the first DroidDream campaign, attackers launched planted more infected apps on the Market last June and July. Malicious apps have also regularly popped up on third-party download sites, which Google doesn't regulate, especially in China.

And last November, Juniper Networks said that the number of malicious Android apps had quintupled in just four months.

Lockheimer didn't dispute claims by security vendors -- who admittedly have Android software to sell -- but said that the volume of available infected apps was the wrong metric.

"The important statistic is how much malware actually reaches users' phones, and how many users are impacted," Lockheimer said.

Using that measuring stick, Google claimed success. "There was a 40% reduction in the number of potentially-malicious downloads from Android Market," said Lockheimer, in the second half of 2011 compared to the six months prior.

However, some apps have not been flagged by Bouncer.

Last December, Google pulled 22 apps from the Market after San Francisco-based Lookout Security reported that the programs sent spurious text messages to premium numbers, racking up revenues for criminals.

At the time, Google noted that the premium texting functionality had been disclosed to users by the apps before they were installed.

Yesterday, Lockheimer declined to explain why those apps weren't detected by Bouncer, saying he wasn't familiar with the specifics.

"There is some gray area, and now we're getting into what is the definition of 'malware,'" he acknowledged. "Some apps are really obviously bad, in some cases it's not obvious. But Bouncer tracks all kinds of interesting behavior. If an app is texting to a known fraudulent number, Bouncer can detect that."

In fact, the debate over what is and what isn't malicious, a discussion held years ago for PC software, has recently reached mobile apps.

Last week, Symantec pegged 13 apps in the Android Market as malicious, but rival Lookout disagreed, saying that they were particularly aggressive in serving ads to users of free apps. This week, Symantec backtracked but promised it would still flag such apps to alert users.

Security experts applauded Bouncer.

"We believe this is a step in the right direction in securing the Android ecosystem from a broad range of constantly evolving threats," said Kevin Mahaffey, co-founder and chief technology officer of Lookout, in an emailed statement.

Although Sophos' Wisniewski also praised Google's move, he had some caveats.

"The real question is what will Google do about potentially unwanted apps," said Wisniewski, using a term Sophos has recently applied to the kind of code Symantec uncovered last week. "If we're confused about it, it's for a good reason."

Wisniewski also said that Google could do more. "One of the best things Google could do is really scrutinize who is allowed to develop for Android," said Wisniewski. "A majority of malicious Android apps are signed by a very small group of developers. We've seen 500 malicious apps signed by just one guy."

In a blog post Thursday, Lockheimer said that Google was analyzing new developer accounts in an effort to keep repeat offenders from being allowed to publish to the Market.

He later declined to go into detail, but said that the analysis was not done by Bouncer. "It is another component of our security strategy [and] another piece of the puzzle."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, or subscribe to Gregg's RSS feed . His e-mail address is

Copyright © 2012 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon