Two researchers demonstrated how they were ableto push a malicious information-stealing app onto Google Play, even whileGoogle’s Bouncer custom malware scanner is watching.

They circumvented Bouncer, anautomated scanner, with a JavaScript trick that transformed a benign Androidapp into a malicious one on Google Play, Nicholas Percoco, head of TrustwaveSpider Labs, told attendees at Black Hat security conference in Las Vegas onWednesday.

Sean Schulte, a back-end SSL services developer at Trustwave joinedPercoco for the presentation.

The pair developed a benevolent app called “SMS Bloxer,”which looked like other SMS blocker apps on the market. In order to ensureregular users didn’t accidentally download the app, Trustwave also priced it at$49.95, in stark contrast to similar apps, which were usually $2 or less, orfree.

SMS Bloxer lived on Google Play for two weeks and didn’t getflagged by Bouncer for that entire period of time. At its worst, the app wascapable of  stealing contacts, SMSmessages, and photos.

It could harvest information about the device or force aweb page to load, the researchers said. It could also launch a denial-of-service attack.

“Google never flagged it,” Percoco said.

The internet giant, recognizing that malicious applications were becoming a growing problem, introduced Bouncer in February.

Google must have realized reacting was a losing battle andsome kind of app review was needed, hence Bouncer, Schulte said. There wasn’t a lot of information available publicly about thetechnology or how it worked, which piqued Trustwave’s curiosity, Percoco said.

“We wanted to test the bounds of what it’s capable of,” Percoco said.

The team created a benign app that just reported back toTrustwave whenever it was executed, and made it past Bouncer and onto GooglePlay. The team had determined Bouncer’s IP address by this time, and modifiedthe test app to act maliciously only if it was executed outside Bouncer. 

To avoid detection, the team used  the JavaScript bridge, a “legitimate”workaround supported by Android, Percoco said. The bridge lets developersremotely add new  features to a programusing JavaScript, or changing the look and feel of an app by modifying theHTML, without having to go back through the entire app approval or updateprocess. Facebook and LinkedIn use this method for their apps, Percoco said.

Trustwave used the JavaScript bridge to add increasinglymalicious capabilities to the app. Bouncer scanned the app repeatedly, but nevernoticed the new malicious features. Only when the team tweaked the app toexecute every second did Bouncer notice it and suspend the developer account,Percoco said.

Trustwave shared its findings with Google, and Percoco saidthe company was a “great organization to work with.” A Google spokesperson could not be reached for comment by SCMagazine.com.