Posted by & filed under malware, News.

Security video surveillance

It’s common sense for Android users to check the permission list before installing an app. If the app asks for access to SMS, your contacts list or location, you know it may disclose your privacy. What if a game app only asked for the wifi_status permission? You might install it with ease – and unknowingly have enabled 3rd parties to track your location!

The Android LocationManager was considered to be the only way to acquire the location data, and required a user’s approval on the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. However, researchers at the Technical University of Denmark have discovered a covert channel to locate and track a user without permission by using the latent location signal disclosed by wifi scanning.

Android has opened wifi status data to developers. The only permission needed for developers is ACCESS_WIFI_STATE, which is common and considered low risk (vs.  privacy-sensitive ACCESS_COARSE_LOCATION). Information now accessible to an Android developer includes:

  • Scanned SSID list
  • Scanned BSSID list
  • Signal strength for scanned list
  • IP Address for connected AP

 

Note that these metrics are accessible even with system wifi and location disabled!  The code can be found here.

A phone can be easily tracked  with the BSSID and signal strength data.

What is BSSID?

BSSID is short for basic service set identification, which is the “MAC address” of the wireless access point. It is  generated by combining the 24 bit Organization Unique Identifier. In short, BSSID is the unique fingerprint for a wifi access point, unlike the SSID which is human readable and can be duplicated.

If we can acquire a list of nearby BSSIDs, while having the wifi Access Points’ (AP) locations, we could locate the user in a small area – as most of the wifi APs are stable and cannot broadcast further than 100m (research shows only 5% of them are mobile APs such as personal devices). Also, by using the real-time signal strength data, we will be able to estimate the user’s moving track.

Next question: How many BSSIDs have known locations? Many, if not most are available, through a variety of services, through API queries. The website wigle.net claims to have 195,741,189 wifi hotspots’ location data:

Screen Shot 2015-06-02 at 6.13.30 PMScreen Shot 2015-06-02 at 6.11.06 PMScreen Shot 2015-06-02 at 6.12.18 PM

 

Living in the civilized world, could you escape such a web?

In the original paper, “Tracking Human Mobility using WiFi signalsz”, the authors highlight  an example of following a user’s movement,  tracking between home, 2 offices and a market, using the data from only 8 wifi access points:

Screen Shot 2015-06-02 at 6.22.15 PM

 

They also published a PoC app”WiFi Watchdog” on Google Play, I tried it and it was surprisingly accurate even though this app was granted no location permissions!

wifi

 

The same method also applies to iOS, which has greater user location data privacy protection.  Nonetheless, iOS still allows acquiring the current connected wifi BSSID.

ios-permission-prompt

 

A user can deny the location requests on an iOS device at will. However, an app using wifi BSSID can still get a user’s static location without asking.

Our research team is working on coverage of this covert channel privacy violation. Stay tuned for our update!

Reference:

[1] http://arxiv.org/pdf/1505.06311v1.pdf

[2] http://en.wikipedia.org/wiki/Service_set_(802.11_network)#Basic_service_set_identification_.28BSSID.29

Posted by & filed under Announcement, New Feature.

 

 

AppInsider_blog_instruction2

 

What is “APK Insider”?

APK Insider is the first and only real time sandbox analysis in mobile security industry. Instead of simply doing the static analysis, it provides deep dynamic analysis to any apps in the device and discover potential 0-day threats.

 

In what scenario should I use APK Insider?

If you highly suspect if an app will do bad things on your phone – such as send SMS to generate fees, or steal your contacts, you can upload it to APK Insider, and we will run it before you do. Our sandbox will simulate a virtual Android system, and expose potential questionable behaviors upon running the app. Afterwards, a behavior report will be generated, with a conclusion if the app is safe or not.

 

Where is it?

Click the Menu button at the upright corner, you will see the beta version. Try it and let us know what you think so that we can improve!

 

How to use?

Choose the apps you want to check, click “Submit” and “Ok, sure” button to start analyzing.

Since we are doing the real-time analysis on our platform, please allow some time to process.

The apps will be categorized automatically into “Analyzed APKs” and be marked as safe or dangerous.

Simply click the dangerous app or the “Uninstall” button to eliminate potential risks.

 

 

Currently this feature is in its beta test stage and only open to selected customers.

Cannot see it in your app? Don’t worry, the official version is coming soon!

Let us know what you think if you tried it!

Posted by & filed under Announcement, News.

 

Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website (my.trustlook.com) and official website(www.trustlook.com). The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.

M4_NewBranding_Launching-01

 

  • Company Logo

 

  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.

 

 

  • App Icon

 

  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.

 

Screen Shot 2015-05-04 at 3.33.10 PM

 

Screen Shot 2015-05-04 at 3.33.56 PM

 

 

  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, www.trustlook.com and my.trustlook.com,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make my.trustlook.com, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.

 

home_trustlook-website_0316

 

 

This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!

 

Best regards,

Trustlook Team

 

 

Posted by & filed under News, potentially unwanted app.

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Posted by & filed under AVTest, News.

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing

Print

 

Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security (http://bit.ly/1xeqTz2). After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.

 

AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.

 

“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”

 

Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.

 

 

About AV-TEST

AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit http://www.av-test.org/

 

Posted by & filed under Uncategorized.

Authors: Tianfang Guo, Jinjian Zhai

Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.

gp

Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:

  • Retrieving call log/contacts/SMS/location
  • Uploading/downloading/removing arbitrary files
  • Sending SMS to subscribe fee-based services
  • Turning your phone to a spy camera

What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.

The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.

Using the notification service for command & control is quite a new way for a RAT, for those advantages:

  • No need for server side – Baidu’s server will take care of everything, from command console to push service.
  • Hard to be detected – Network traffic has no difference from normal push notifications

The developer console of Baidu cloud, which allows pushing a notification to any registered devices without writing a single line of code.
Screen Shot 2015-04-07 at 4.29.47 PM

The control procedure is as follows:
Untitled drawing

The RAT handling the commands sent via notification:
Screen Shot 2015-04-07 at 4.21.16 PM

Also we found the developer has leaked his Baidu Secret Key, bad practice!
Screen Shot 2015-04-07 at 4.21.58 PM

Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
Screen Shot 2015-04-07 at 4.24.04 PM

A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.

Special Thanks to Steven Chen for providing us the sample.
References:
http://b0n1.blogspot.tw/2015/03/trojan-using-baidu-cloud-push-service.html

Posted by & filed under News, potentially unwanted app.

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1 Screen Shot 2015-03-16 at 8.23.30 PM Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

Posted by & filed under malware, zero-day.

unnamed

Authors: Tianfang Guo, Jinjian Zhai

The “Fake Amazon Giftcard” is a malware that has been breaking out in the last 48hrs. It’s pretty simple from the technical aspect, but has infected 4,000 devices and caused over 200,000 spam SMS worldwide in less than 24hrs (source: http://goo.gl/cFs2BG).

Let’s see what it can do:

    • The app presents itself into a “survey for giftcard” app to attract a user install.
gazon-home
    • After user has installed it, it will read the contact list, and send spam SMS, which includes a download link, to all the victim’s contacts. So it spreads like a worm.

 

Hey [contact name], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazonReward

    • The app’s interface is a series of surveys based on a web view, which will collect a lot of the user’s private information – especially those who are greedy for the giftcard. Also, the app includes an Advert SDK, to generate more profit.
gazon-scam2

Trustlook has intercepted a sample from our user base yesterday, Mar 3rd, and the dynamic analysis sandbox gave us a detailed report within 2 minutes:

Screen Shot 2015-03-04 at 5.03.36 PM Screen Shot 2015-03-04 at 5.07.26 PM

According to Virustotal, at the time of intercept, only 2 out of 57 Antivirus programs can identify it. After 24hrs, there are still 46 out of 57 AV programs blind to this simple malware. Nor is any AV program warning their users about the malicious link used to download the malware.

Screen Shot 2015-03-04 at 4.49.31 PM Screen Shot 2015-03-04 at 4.37.42 PM

-Another example that shows the superiority of behavioral analysis in the modern mobile era.

Posted by & filed under malware.

Authors: Jinjian Zhai, Tianfang Guo

Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware [1] at that time.

 

Initial scanning result.

 

The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.

 

The malware disguised itself as a google package.

 

It can even forbid ring and vibration in order to record the phone call in a file on the phone.

 

14d9f1a92dd984d6040cc41ed06e273e_forbid_ring

 

Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.

 

14d9f1a92dd984d6040cc41ed06e273e_file

 

The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off [2].

The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog [3] as well as the AVG blog [2].

First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:

 

interceptKeyBeforeQueueing

 

Second the code is redirected to the KeyEvent.KEYCODE_POWER case:

 

屏幕快照 2015-03-02 6.13.47 PM

 

Then the interceptPowerKeyDown() method is called:

 

屏幕快照 2015-03-02 6.15.19 PM

 

Finally the phone is closed when handling mPowerLongPress variable:

 

屏幕快照 2015-03-02 6.17.52 PM

 

Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff” [4] to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible [5] when turned off. The scanning result of the provided sample [4] has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.

The tool [4] was an implementation of the Xposed platform [6] , which is a dynamic hijack tool targeting Android phones [7]. Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class.  Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class

屏幕快照 2015-03-02 6.59.41 PM

 

In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:

 

屏幕快照 2015-03-02 7.11.54 PM

 

In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():

 

屏幕快照 2015-03-02 7.13.11 PM

 

The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:

 

屏幕快照 2015-03-02 7.18.49 PM

 

As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.

Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.

 

REFERENCE:

 

[1] https://www.virustotal.com/en/file/be0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88/analysis/

[2] http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

[3] http://www.jiandande.com/html/bianchengjiqiao/androidkaifa/2014/1128/5189.html

[4] http://security.tencent.com/index.php/opensource/detail/14

[5] https://github.com/monstersb/hijackAndroidPowerOff/blob/master/src/com/example/hijackpoweroff/Callbacks.java

[6] http://repo.xposed.info

[7] http://m.blog.csdn.net/blog/wxyyxc1992/17320911