Posted by & filed under malware, vulnerability, zero-day.

Google addressed the Stagefright vulnerability by rapidly releasing the Android 5.1.1 Stagefright fix. However the fix broke the widely used “recent activity” log access for the developer community. As a result, the Stagefright “fix” disabled many popular task management, parental control and app-locker android applications. The Trustlook team moved quickly with a timely update of the Trustlook Mobile Security application. “Memory Boost”, our task management feature continued to work as normal for millions of our users while others’ remain disabled.

The Nexus 6 Phone screenshot below shows all is A-OK. Users can continue to keep their Android devices running in tip-top shape.

The story started from the Black-Hat 2015 (08/01-08/06), when an exploit called Stage-fright was revealed to the public as a threat to over 95% Android devices. The Stage-fright exploit utilizes the media-play library of Android operating system and executes malicious code embedded in multi-media files. Later on 08/12/2015, Google released the OTA for the stage-fright bug fix to cope with the vulnerability.

While immediately after the users updated their Nexus 6 phones, they found:

review

As shown in the red box of the right-bottom part of the screenshot, the user of a famous Task Killer app with 50 Million to 100 Million download counts stated : “Latest update for Android 5.1.1 killed this app. …”

To further investigate the Android OTA update, we researched the top 10 Task Killer apps in Google Play and were shocked that ( as late as 08/14/2015 ) all apps which are supposed to kill other unauthorized processes were actually ‘disabled’ by the OTA update.

Here are a few examples of the most popular ones:

The aforementioned Advanced Task Killer App has more than 50 Million downloads:

Screenshot_2015-08-17-17-20-32

Exactly as described by the review, the app failed to access any of the processes in the memory:

Screenshot_2015-08-17-15-29-48

 

Here is another example:

Screenshot_2015-08-17-17-14-18

Zapper Task Killer & Manager with more than 1 Million download counts was developed by a renowned mobile antivirus vendor. The process killer feature was blocked after the Android OTA update. Therefore, no process other than Zapper itself was recognized while several apps and games were still running in the operating system. It means that Zapper fails to access any recently apps, not to say forces them destroy.

Screenshot_2015-08-17-15-37-10

The root cause of the problem is the new permission requirement of the ActivityManager.getRunningAppProcesses() method in Android 5.1.1 version. In the Android OTA update, the PERMISSION.REAL_GET_TASKS needs to be proposed to and granted by user in order to get the full list of tasks and processes.

CONCLUSION

From this series of stories with Stagefright, OTA and Task Killer, we can see that : due to the open-sourced nature of the Android Open Source Project (AOSP), vulnerabilities and exploits are discovered only a few days ahead of the real zero-day attacks. Hence the community is patching the Android operating system in a much faster speed and might require subsequent patches from the third party developers and antivirus vendors. In this evolving environment, the best strategy of Android users is:

1. to keep an keen eye on safety updates of both Android OS and Antivirus apps,

2. to always use the most updated versions to protect the devices and the data.

 

Please contact support@trustlook.com for comments.

Authors: Jinjian Zhai, Tianfang Guo, Weimin Ding, Wilson Ye

 

 

 

Posted by & filed under potentially unwanted app, vulnerability.

Authors: Jinjian Zhai, Tianfang Guo

Nasir al-Wuhayshi had a bounty of 10 million USD issued by the US State Department in October 2014, and was killed in a US drone strike in the Hadhramaut Governorate of Yemen on 12 June 2015.

Explaining the mystery of how al-Wuhayshi got pinned in a vast area of desert land mass, CNN reported : “This was more than just luck. … He got sloppy and moved in a way that he could be tracked. … Classified high tech gear makes the strike possible. Eavesdropping of cell phone and monitoring of social media by the intelligence community is at all time high.

According to CNN, eavesdropping on Nasir al-Wuhayshi’s cellphone disclosed his location, like something out of a 007 film. Mobile apps, especially social media applications, emerge as new sources of location intelligence.

Although this was an fatal example of the leakage of physical GPS metadata, the information was under the control of international law enforcement. You can imagine situations where the circumstances can evolve to be much worse had similar data been under the control of outlaws.

It seems similar privacy leakages aren’t as far off as Yemen. On June 17, Reuters reported large amounts of private data were stolen due to common flaws in application development: “Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

Below is an example of a leaked GPS location from a compromised android app.

com.songguo.hotel is a popular Android hotel booking app from Ctrip.com, one of the biggest online travel services in China. The version we analysed sent GPS locations to Baidu Map service without any user input. The data, accurate to a few meters, was captured en route in plain text.

The plain text of GPS location.

 

The high accuracy location of the user is fetchable by GPS coordinates:

map

 

GPS stealing behavior can be detected by the Trustlook Mobile Security platform and application with the name “StealBy.Socket“.

report_score

 

 

The malicious “StealBy.Socket” behavior in Trustlook Mobile Security app:

 

report_pcap

 

Apps leaking GPS data were discovered as malicious by Trustlook Mobile Security:

app_detect

 

There are ways to avoid leaking GPS location, including disabling location sharing entirely. Sometimes such notification windows are absent, just like the app we studied in this blog. Consumers should rely on Antivirus applications to be sure of privacy protection from not only malware but the also risky behavior of legitimate apps.

Other data leaks- including password, photos, and medical data, will be further investigated and published in the future. Stay tuned…

To read the full report of the sample from the Trustlook Antivirus platform, please contact : support@trustlook.com

Posted by & filed under malware, potentially unwanted app, zero-day.

Authors: Tianfang Guo, Jinjian Zhai; Special Thanks: Steven Chen

Last week, Trustlook exposed the Facebook credential phishing malware “Cowboy Adventure”. In the article we pointed out that phishing is one kind of behavior that is difficult to detect via an automated technical approach. This may be one reason it sneaked by the Google Play Store’s  “Bouncer” automated security check.

In this article, we will highlight several examples of Zombie malware on Google Play we very recently uncovered. These are Called  – “The “Clickers”.They commit another stealthy kind of malicious behavior, that  will likely be overlooked by automated analysis solutions.

“Clicker” is a malware that affects a large part of the mobile ecosystem creating fraud for the vendors, spamming the networks and exploiting the resources of user the community. This form of malware launches requests through Advertizing links. “Clickers” generate costly, false user traffic for advertisers, while draining the user’s battery life and consuming their monthly data plan bandwidth allowances. Everyone loses when a “Clicker” is unleashed.

 

Screen Shot 2015-07-13 at 3.46.01 PM Screen Shot 2015-07-13 at 3.46.10 PM

 

The latest malware we detected is called “Best: Dubsmash”. It has no actual functionality other than a confusing UI. Most users are likely to spend some time to figure out what it does. In the mean time, let’s see what is doing in the background:

Screen Shot 2015-07-13 at 3.47.28 PM

 

Communicate a C&C server. This server will serve the target URL that needs users to click.

According to our test, this URL will give different URLs each time you refresh it. Most of the URLs are porn sites.

Screen Shot 2015-07-13 at 3.48.05 PM

Our behavioral analysis shows the Zombie requests are generated by using invisible webview calls, in a continuous 20s time interval. There goes the user’s battery life and bandwidth. data plan. Also it will (or rather should) create events on a properly monitored corporate network. Just what your SecOps team needs, right? More Spam remediation.

Screen Shot 2015-07-13 at 3.48.45 PM

 

As of Jul 13 PST 2:40PM, this app, as well as 3 similar “clickers” are still alive on Google Play. We already reported this issue to our colleagues at Google Play and will look forward to timely remediation.

 
Screen Shot 2015-07-13 at 6.50.16 PM

Posted by & filed under malware, potentially unwanted app, zero-day.

Authors: Tianfang Guo, Jinjian Zhai

How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.

The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”.  After careful analysis our team found a devious and scary reason behind its user growth.

Screen Shot 2015-07-02 at 10.49.50 AM
Screen Shot 2015-07-02 at 10.50.03 AM
Screen Shot 2015-07-07 at 4.37.06 PM

 

Beginning of the story

Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:

Screen Shot 2015-07-07 at 5.06.03 PMf493908d8528286f25d4a51818c8d45c-1

After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.

 

The detailed analysis

Untitled

Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.

The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.

The key code are from 2 dlls:

ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
2015-07-06 22_39_50-ILSpy
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.
BF929A23-2644-40A3-8920-AFCD16EBBEBD

Upon launching, the app will first communicate with a command & control server:
2015-07-06 22_38_07-ILSpy

The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.

During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
Screen Shot 2015-07-07 at 2.52.38 PM
In this case, the game will start without phishing.

However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Screen Shot 2015-07-07 at 4.04.55 PM

Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)

Here is the our reversed engineered code showing its logic:
Untitled drawing -2-

The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.

As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.

Cowboy2 -1-

After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:

Untitled drawing -3-

After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.

Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to virustotal.com . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
Screen Shot 2015-07-07 at 3.02.31 PM
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.

 

Some thoughts

We have to ask: what’s going wrong? The author’s opinion is as follows:

1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.

2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.

3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.

4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.

——

Update on Jul 9 3pm PST:

After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.

Posted by & filed under malware, potentially unwanted app.

Authors: Tianfang Guo, Jinjian Zhai

When talking about the cybercrime industry, “business model” is more important than the technology itself. According to Security Magazine Cybercrime is costing businesses more than $1,500 per employee annually. That’s a likely a drop in the bucket compared to how much ransomware pirates are extorting from business.

Last year, we published an article “Android Ransomwares – A True Threat or Bluffing”. Reviewing it today, most of the predictions in that article about the technologies used on Android ransomware have come true. Driven by profits, the ransomware makers have shelfed ethicsand laws, trying everything to force the victims pay money. According to the Mcafee lab, the number of ransomwarerequests have grown 165% in Q1 2015. [1]

How can businesses proactively repel Ransomware? Trustlookhas reviewed large amount of ransomware samples in the last few weeks and is building a solution. This article analyzes the ideas and technologies behind the ransomware as well as introducing TrustLook’s solution of detecting them.

Ransomware is best analyzed through 3 key metrics: how they block the normal usage of your phone; in what way they receive a payment from the victim; and how they spread themselves. We will categorize the ransomware by the first and foremost metric, how they block the normal usage, which consists of three classes or levels of harm of severity:

  • Class A: They will cause software level damage to your phone:impairing data, and/or gaining higher privileges to maintain controlling and commanding. These Android ransomware do, on phone, as what the traditional ransomware do on PC.
  • Class B: They will not cause damage or gain higher privilege, but cause trouble on the regular usage of the phone: E.g. popping up “NAG”[2] messages that keep on top of the screen. They can be fixed in an easier way than Class A ransomware.
  • Class C: They do not use any technology to block the usage, instead they rely on fraud information and social engineering to con victims. They are scam apps in natural than ransomware.

We will only discuss Class A and B ransomware in this article. All the malware mentioned in this article is now detected by Trustlook’s security solution.

Class A Ransomwares:

Sample name: Android Performance Enhance
Package name: tx.qq898507339.bzy9
MD5: cdc77f3dfabdea5c5278ac9e50841ff3

Behaviors:

  • – Forged into an system enhancement app
  • – Cheat the user to authorize the device admin, including changing screen-unlock password and lock screen permissions.
  • – Lock screen with a password, victims are supposed to contact the author and make a payment to get the unlock password. We pretended to be the victim and contacted the author. He asked 50 RMB (~$9), via AliPay (China’s paypal).
  • – Cannot be uninstalled using ADB due to the device admin privilege
  • – Spread mainly in China, via Baidu “Tieba” (like China’s reddit) and cloud storage

Screen Shot 2015-07-07 at 10.30.59 PM
Ask for device admin

Screen Shot 2015-07-07 at 10.31.55 PM

Lock screen with a password

Remove Difficulty: 4.5 stars
Transmission: 3 stars
Creativity: 3 stars
Overall Severity: 4.5 stars

 

Sample name: PornPlayer
Package name: com.ayurvedic
MD5: f91b39614dae1aae69337662dd287949

Behaviors:

  • – Forged into a porn video player
  • – Ask for device admin for self protection
  • – Encrypt media files using AES algorithm, difficult to recover the files unless intercept the key before it’s sent out
  • – Pop up an always on top window, ask payment for the unlock key
  • – Stealing phone contacts and call logs
  • – Cannot be uninstalled using ADB due to the device admin privilege

Screen Shot 2015-07-07 at 10.33.25 PM

 

Screen Shot 2015-07-07 at 10.34.19 PM

Our sandbox has clearly intercepted the suspicious encryption operation and the encryption key:

Screen Shot 2015-07-07 at 10.35.17 PM

Remove Difficulty: 5 stars

Transmission: 1 star

Creativity: 2 stars

Overall Severity: 5 stars

 

Sample name: Flash Player
Package name: com.android.locker
MD5: 645a60e6f4393e4b7e2ae16758dd3a11

Behaviors:

  • – Forged into the Flash Player
  • – Ask for device admin for self protection
  • – Forged FBI surveillance message, pop up with an interval of 5s
  • – Ask for $300 via MoneyPak voucher code
Screen Shot 2015-07-07 at 10.36.20 PM Screen Shot 2015-07-07 at 10.38.19 PM Screen Shot 2015-07-07 at 10.41.18 PM

Remove Difficulty: 4 stars

Transmission: 2 stars

Creativity: 3 stars

Overall Severity: 4 stars

Class A ransomware summary:

They are one of the most severe type of malware on Android. Their logic is straightforward: block your phone usage, make sure you cannot recover by your own, then ask you “data or money”.

As Android ransomwares don’t have the privilege of their Windows equivalent, the device admin became a critical path for them to do the damage (wipe data, lock screen with password) and self protection – and some users have no idea what device admin is, what can it do and how to revoke it. Even for experienced Android users, they won’t be able to get into the “settings” app to revoke it if the ransomware pops up an always on top activity by applying the SYSTEM_ALERT_WINDOW permission. (or exploiting the device admin vulnerability http://seclab.safe.baidu.com/2014-10/deviceadminexploit2.html)

Even without device admin, the WRITE_EXTERNAL_STORAGE permission will allow the ransomware to encrypt the files on SD card, including the media files, as “hostage”.

 

Class B Ransomwares:

Sample name: Video Player
Package name: com.adobe.videoprayer
MD5: f836f5c6267f13bf9f6109a6b8d79175

Behaviors:

  • – Forged into a video player
  • – Pops up a fake FBI surveillance message
  • – Set the activity always on top. Cannot dismiss using home/return button.
  • – Take photo at background as “evidence”
  • – Access the browser history
  • – Stealing the contacts, threat the user to send the “evidence of watch child pornography” to the victim’s contacts.
  • – Ask $500 via Paypal prepaid voucher card
  • – Send SMS at background to the victim’s contacts with the download link, to spread virally.

Screen Shot 2015-07-07 at 10.42.11 PM

Screen Shot 2015-07-07 at 10.44.06 PM Screen Shot 2015-07-07 at 10.45.04 PM Screen Shot 2015-07-07 at 10.48.09 PM

Our sandbox has intercept its background behaviors:

Screen Shot 2015-07-07 at 10.49.16 PM

Remove Difficulty: 3 stars

Transmission: 5 stars

Creativity: 4.5 stars

Overall Severity: 5 stars

 

Sample name: APK compiler
Package name: com.qq2395414390
MD5: f836f5c6267f13bf9f6109a6b8d79175

Behaviors:

  • – Forged into a APK enhancement app
  • – Pops up a windows that always on top. Unable to dismiss using home/return button.
  • – Plays very loud sound. Embarrass the victim in public.
  • – Victims are supposed to contact the author and make a payment.
  • – Spread via “QQ Groupchat”(famous PC messenger in China)

Screen Shot 2015-07-07 at 10.50.32 PM

Remove Difficulty: 2 stars

Transmission: 3 stars

Creativity: 3 stars

Overall Severity: 3 stars

 

 

Class B ransomware summary:

The main idea behind Class B ransomware is “social engineering”, rather than technology. They usually use some sneaky ways to make users fear or embarrassed, and pay money.

Most of them will abuse the SYSTEM_ALERT_WINDOW permission, to pop up an always on-top window.

On the other hand, as they don’t have device admin and file encryption, they can be easily killed by a single “adb uninstall” command by an experienced Android user. If their tricks are unveiled.

 

Reference:

[1] http://www.mcafee.com/us/about/news/2015/q2/20150609-01.aspx

[2] https://en.wikipedia.org/wiki/Nagware

Posted by & filed under malware, News.

Security video surveillance

It’s common sense for Android users to check the permission list before installing an app. If the app asks for access to SMS, your contacts list or location, you know it may disclose your privacy. What if a game app only asked for the wifi_status permission? You might install it with ease – and unknowingly have enabled 3rd parties to track your location!

The Android LocationManager was considered to be the only way to acquire the location data, and required a user’s approval on the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. However, researchers at the Technical University of Denmark have discovered a covert channel to locate and track a user without permission by using the latent location signal disclosed by wifi scanning.

Android has opened wifi status data to developers. The only permission needed for developers is ACCESS_WIFI_STATE, which is common and considered low risk (vs.  privacy-sensitive ACCESS_COARSE_LOCATION). Information now accessible to an Android developer includes:

  • Scanned SSID list
  • Scanned BSSID list
  • Signal strength for scanned list
  • IP Address for connected AP

 

Note that these metrics are accessible even with system wifi and location disabled!  The code can be found here.

A phone can be easily tracked  with the BSSID and signal strength data.

What is BSSID?

BSSID is short for basic service set identification, which is the “MAC address” of the wireless access point. It is  generated by combining the 24 bit Organization Unique Identifier. In short, BSSID is the unique fingerprint for a wifi access point, unlike the SSID which is human readable and can be duplicated.

If we can acquire a list of nearby BSSIDs, while having the wifi Access Points’ (AP) locations, we could locate the user in a small area – as most of the wifi APs are stable and cannot broadcast further than 100m (research shows only 5% of them are mobile APs such as personal devices). Also, by using the real-time signal strength data, we will be able to estimate the user’s moving track.

Next question: How many BSSIDs have known locations? Many, if not most are available, through a variety of services, through API queries. The website wigle.net claims to have 195,741,189 wifi hotspots’ location data:

Screen Shot 2015-06-02 at 6.13.30 PMScreen Shot 2015-06-02 at 6.11.06 PMScreen Shot 2015-06-02 at 6.12.18 PM

 

Living in the civilized world, could you escape such a web?

In the original paper, “Tracking Human Mobility using WiFi signalsz”, the authors highlight  an example of following a user’s movement,  tracking between home, 2 offices and a market, using the data from only 8 wifi access points:

Screen Shot 2015-06-02 at 6.22.15 PM

 

They also published a PoC app”WiFi Watchdog” on Google Play, I tried it and it was surprisingly accurate even though this app was granted no location permissions!

wifi

 

The same method also applies to iOS, which has greater user location data privacy protection.  Nonetheless, iOS still allows acquiring the current connected wifi BSSID.

ios-permission-prompt

 

A user can deny the location requests on an iOS device at will. However, an app using wifi BSSID can still get a user’s static location without asking.

Our research team is working on coverage of this covert channel privacy violation. Stay tuned for our update!

Reference:

[1] http://arxiv.org/pdf/1505.06311v1.pdf

[2] http://en.wikipedia.org/wiki/Service_set_(802.11_network)#Basic_service_set_identification_.28BSSID.29

Posted by & filed under Announcement, New Feature.

 

 

AppInsider_blog_instruction2

 

What is “APK Insider”?

APK Insider is the first and only real time sandbox analysis in mobile security industry. Instead of simply doing the static analysis, it provides deep dynamic analysis to any apps in the device and discover potential 0-day threats.

 

In what scenario should I use APK Insider?

If you highly suspect if an app will do bad things on your phone – such as send SMS to generate fees, or steal your contacts, you can upload it to APK Insider, and we will run it before you do. Our sandbox will simulate a virtual Android system, and expose potential questionable behaviors upon running the app. Afterwards, a behavior report will be generated, with a conclusion if the app is safe or not.

 

Where is it?

Click the Menu button at the upright corner, you will see the beta version. Try it and let us know what you think so that we can improve!

 

How to use?

Choose the apps you want to check, click “Submit” and “Ok, sure” button to start analyzing.

Since we are doing the real-time analysis on our platform, please allow some time to process.

The apps will be categorized automatically into “Analyzed APKs” and be marked as safe or dangerous.

Simply click the dangerous app or the “Uninstall” button to eliminate potential risks.

 

 

Currently this feature is in its beta test stage and only open to selected customers.

Cannot see it in your app? Don’t worry, the official version is coming soon!

Let us know what you think if you tried it!

Posted by & filed under Announcement, News.

 

Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website (my.trustlook.com) and official website(www.trustlook.com). The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.

M4_NewBranding_Launching-01

 

  • Company Logo

 

  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.

 

 

  • App Icon

 

  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.

 

Screen Shot 2015-05-04 at 3.33.10 PM

 

Screen Shot 2015-05-04 at 3.33.56 PM

 

 

  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, www.trustlook.com and my.trustlook.com,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make my.trustlook.com, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.

 

home_trustlook-website_0316

 

 

This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!

 

Best regards,

Trustlook Team

 

 

Posted by & filed under News, potentially unwanted app.

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Posted by & filed under AVTest, News.

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing

Print

 

Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security (http://bit.ly/1xeqTz2). After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.

 

AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.

 

“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”

 

Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.

 

 

About AV-TEST

AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit http://www.av-test.org/