Posted by & filed under News, potentially unwanted app.

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1 Screen Shot 2015-03-16 at 8.23.30 PM Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

Posted by & filed under malware, zero-day.

unnamed

Authors: Tianfang Guo, Jinjian Zhai

The “Fake Amazon Giftcard” is a malware that has been breaking out in the last 48hrs. It’s pretty simple from the technical aspect, but has infected 4,000 devices and caused over 200,000 spam SMS worldwide in less than 24hrs (source: http://goo.gl/cFs2BG).

Let’s see what it can do:

    • The app presents itself into a “survey for giftcard” app to attract a user install.
gazon-home
    • After user has installed it, it will read the contact list, and send spam SMS, which includes a download link, to all the victim’s contacts. So it spreads like a worm.

 

Hey [contact name], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazonReward

    • The app’s interface is a series of surveys based on a web view, which will collect a lot of the user’s private information – especially those who are greedy for the giftcard. Also, the app includes an Advert SDK, to generate more profit.
gazon-scam2

Trustlook has intercepted a sample from our user base yesterday, Mar 3rd, and the dynamic analysis sandbox gave us a detailed report within 2 minutes:

Screen Shot 2015-03-04 at 5.03.36 PM Screen Shot 2015-03-04 at 5.07.26 PM

According to Virustotal, at the time of intercept, only 2 out of 57 Antivirus programs can identify it. After 24hrs, there are still 46 out of 57 AV programs blind to this simple malware. Nor is any AV program warning their users about the malicious link used to download the malware.

Screen Shot 2015-03-04 at 4.49.31 PM Screen Shot 2015-03-04 at 4.37.42 PM

-Another example that shows the superiority of behavioral analysis in the modern mobile era.

Posted by & filed under malware.

Authors: Jinjian Zhai, Tianfang Guo

Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware [1] at that time.

 

Initial scanning result.

 

The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.

 

The malware disguised itself as a google package.

 

It can even forbid ring and vibration in order to record the phone call in a file on the phone.

 

14d9f1a92dd984d6040cc41ed06e273e_forbid_ring

 

Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.

 

14d9f1a92dd984d6040cc41ed06e273e_file

 

The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off [2].

The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog [3] as well as the AVG blog [2].

First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:

 

interceptKeyBeforeQueueing

 

Second the code is redirected to the KeyEvent.KEYCODE_POWER case:

 

屏幕快照 2015-03-02 6.13.47 PM

 

Then the interceptPowerKeyDown() method is called:

 

屏幕快照 2015-03-02 6.15.19 PM

 

Finally the phone is closed when handling mPowerLongPress variable:

 

屏幕快照 2015-03-02 6.17.52 PM

 

Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff” [4] to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible [5] when turned off. The scanning result of the provided sample [4] has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.

The tool [4] was an implementation of the Xposed platform [6] , which is a dynamic hijack tool targeting Android phones [7]. Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class.  Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class

屏幕快照 2015-03-02 6.59.41 PM

 

In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:

 

屏幕快照 2015-03-02 7.11.54 PM

 

In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():

 

屏幕快照 2015-03-02 7.13.11 PM

 

The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:

 

屏幕快照 2015-03-02 7.18.49 PM

 

As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.

Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.

 

REFERENCE:

 

[1] https://www.virustotal.com/en/file/be0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88/analysis/

[2] http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

[3] http://www.jiandande.com/html/bianchengjiqiao/androidkaifa/2014/1128/5189.html

[4] http://security.tencent.com/index.php/opensource/detail/14

[5] https://github.com/monstersb/hijackAndroidPowerOff/blob/master/src/com/example/hijackpoweroff/Callbacks.java

[6] http://repo.xposed.info

[7] http://m.blog.csdn.net/blog/wxyyxc1992/17320911

 

 

 

Posted by & filed under Announcement.

Trustlook Antivirus & Mobile Security Reaches 3 Million Mobile Users

2014_Chritmas_Images-01

Trustlook Inc., an innovator in next-generation mobile security solutions, today announced as of Dec 24th, 2014, it has protected 3 million mobile devices across 226 countries with its most popular Android security application — Trustlook Antivirus & Mobile Security.

As more security breaches happened in 2014, many users started installing mobile security applications to protect their device and private data. Trustlook’s Antivirus and Mobile Security app provides a much quicker security response and more accurate analysis about security breaches and malware detection. It also offers comprehensive protection services such as anti-theft, data backup/restoration and a memory boost.

“Three millions users’ trust could not be a better Christmas gift,” said Allan Zhang, CEO of Trustlook. “The Trustlook team will continue focusing on designing and developing the best mobile security application. As for application licensing, we have no plan to charge users a $20-$30 annual fee and at Trustlook we always believe that the best things should be FREE.”

In its latest major release, Trustlook published two major features: 1) web security to filter out inappropriate web content to protect families and schools 2) pirated application detection to identify fake applications that have been installed on users’ phones to steal private information.

Posted by & filed under Announcement.

Dear customer,

In the past 48 hours, we have experienced very heavy traffic, which was double more than our server can afford. This resulted in process delay of servers and many users experienced unsuccessful sign in/up and related problems. We are sorry for the inconvenience and have worked in the problem in the past two days. Now all problems are solved and we apologize again for this accident. Please feel free to contact us if you have any questions in the future at support@trustlook.com. We hope you enjoy using our app and we would like to hear from you. Thanks for your support!

 

Sincerely,

Trustlook Team

 

 

Posted by & filed under News.

Our new widget provides users a quick way to boost device speed, open flashlight, scan virus and check weather information.

Trustlook’s latest version is ready to download now! In this new version of 2.4.3, we have the following updates:

  1. Widget & Floating Point
  2. New SD Card Scan Animation
  3. Add Dialog for you to check after resolved the problem
  4. Several Bug Fixed

Widgets make your phone experience easier, faster and more convenient. Now we have the choices to add one regular widget and one floating widget. Get excited about the new feature and can’t wait to try it immediately? Let’s see how to do!

download-button-orange

 

How to add the regular widget to home screen?

  1. Make sure you have enough home screen space to place Trustlook widget, it only takes 4×1 space (1 row)
  2. Long press and hold until you can choose “Widgets”,  find the name Trustlook Security on the widget pages, and drag it to home screen. (See demo below)
Screen Shot 2014-12-10 at 21.53.49

 

Screen Shot 2014-12-10 at 21.58.19

 

Screen Shot 2014-12-10 at 22.01.16

 

How to add the floating widget?

  1. Open Trustlook Antivirus & Mobile Security
  2. Select side Menu at the up right corner and then select About
  3. On the About page, select Settings, then turn on the Floating Widget  
Screen Shot 2014-12-10 at 22.09.26       Screen Shot 2014-12-10 at 22.10.15

 

4. After turned on the Floating Widget, a blue circle (with white inner) appears and you can touch the circle to show or hide the Floating Widget.

Screen Shot 2014-12-10 at 22.14.25

 

5. Press and hold the circle for 2 seconds to turn off the Floating Widget

Screen Shot 2014-12-10 at 22.16.24

 

Hope you all enjoy using the new widgets! Try it here and feel free to tell us what you think about it so that we can improve and provide better service for you – support@trustlook.com. We’d love to hear from you!

 download-button-orange

 

Posted by & filed under News, Uncategorized.

shutterstock_115938574_Used

 

Trustlook Inc., an innovator in next-generation mobile security solutions, today announced as of Dec 4th, 2014, it has over one million registered users in Google Play Store for its most popular Android application – Trustlook Antivirus & Mobile Security, demonstrating a leading advantage with its unique technology and comprehensive mobile security services. Shortly within one year, Trustlook has become the fasted growing mobile security company which brought in-depth malware detection for smart device users.

Trustlook is dedicate to protect smart devices against malware, virus, spyware, Trojan, and provide comprehensive services for smart device users such as antitheft, data backup/restore, speed boost, web security and privacy protection. It ranked No.1 Security Solution in AV-TEST benchmark testing and has users over the world in 226 countries. The users vary from technical people, business people who want to protect their business privacy to parents who want to protect cyber safety for their children.

“Over the past several months, Trustlook has analyzed 1,458,759 applications. Reaching one million registered users is just a beginning,” said Allan Zhang, CEO of Trustlook. “We are proud that we can provide unrivaled real-time detection for smart device all over the world, compared with traditional mobile security solution providers. It is crucial to raise the awareness of mobile security and we hope more people could protect their mobile privacy in the right way.”

 

We are young but strong, and we cannot make it without you! Like us on Facebook to win a Moto 360 Watch and join us to celebrate!

Posted by & filed under Customer Support.

Photo Oct 11, 15 42 10副本

Based on your valuable feedback, we collected several frequently asked questions with answers for you to better secure your mobile devices!

Some apps are Google Play Store downloads or come with the phone. They should not have risks. Why does Trustlook Antivirus & Security identify them as high-risk apps?

High-risk applications are not applications with virus/malware. Usually they are applications/files that require much permission to access users’ private data without notifying users, or make your devices vulnerable to be attacked. Therefore, we recommend you remove high-risky apps in order to better protect your personal data and privacy.

 

Why does the installation screen display with mixed language?

Currently, Trustlook Antivirus & Mobile Security supports 11 languages:

English, Arabic, German, Spanish, French, Indonesia, Japanese, Korean, Portuguese, Russian, Chinese Simplified & Traditional.

On the installation/open screen, contents are shown in the language you chose to use for your device, while “Decline” and “Accept” buttons are always shown in English. This is because our application can only change the content language while the button language is controlled by Google Play Store.

 

Why does the scan process sometimes take a long time, and sometimes goes quickly?

The scan length varies according to the amount of apps installed in your devices. Usually the first time scan goes slowly because Trustlook Antivirus & Mobile Security needs to go through every app/file in you phone and update with its database. If you scan your devices regularly, the scan process will takes less time.

 

Why Trustlook finds risk apps for me but I cannot uninstall the app/delete the virus?

Sometimes the risky apps/files are system apps/files, which are not allowed to uninstall/delete. Therefore when you click “Remove now” or “Uninstall”, it will say “Uninstall Unsuccessful” or you will see it again if you go back. We recommend going to the device settings and disable certain permission of these system applications to avoid possible privacy leakage.

 

Why Trustlook needs many permission such as camera, audio/video or track my location?

All permissions are required in order to launch security features and monitor real-time activities to report alert and give solutions. In addition, certain permissions are used to support value-added functionalities. For example, it need to have the access to camera/audio in order to take a picture of the person who wrongly entered your password more than 3 times and send you the alert email. You can use alarm to find your phone and Trustlook Antivirus & Mobile Security needs to access your location to tell where the device is. The permissions are all protection needed and your data will be more secure with Trustlook Antivirus & Security.

 

Why Trustlook tells me I have duplicate apps but I cannot see them in the app list?

Some applications split their application into two parts – one application and one system file, and they use the same icon. If they are detected as duplicate applications but not appear in the list, we recommend you ignore them.

 

Why I cannot find the app which is identified as virus?

Trustlook Antivirus & Mobile Security not only scan applications you download from Google Play Store, but also scan system applications/files in order to go through deep detection for your devices. Sometimes the system applications/files are hidden due to default device setting. You can solve the problem by going to the device settings and disable certain permission of these system applications to avoid possible privacy leakage.

 

Does Trustlook still run after I quit the app?

Yes. Trustlook Antivirus & Mobile Security still run after you quit the application. It works at the back with real-time detection and will alert you when new risks are found. You can also call it back through the notification bar.

 

I installed Trustlook Antivirus & Security several months ago, used it regularly to protect my phone and it said my phone is great. However it suddenly says some apps are high risk and need to be removed. Why didn’t it tell me when I scanned before?

Trustlook Antivirus & Mobile Security provides real-time virus/malware detection by updating database frequently. New risks apps appear because they added risky features in their latest version and we detected them and report to you immediately.

 

Why some tasks still exist after I killed them?

Usually they are system tasks/files and they cannot be killed as long as the device is open. Or, if they are downloaded applications, you need to disable its “Run in background” feature in order to terminate it.

 

Did not find the answer you want? Feel free to contact us at support@trustlook.com.

We are happy to solve any questions for you!

 

 

Posted by & filed under Announcement.

Good News!

Based on our unremitting efforts, “Trustlook Antivirus & Security” app is now back on Google Play Store. We are very glad we could quickly solve this problem in 24 hours and continue offering premium protection for your mobile devices.

Thanks for your support and we appreciate your patience in the past day! Please feel free to download/update our app in Google Play Store or on our official Website, or use the following button.

download-button-orange