Posted by & filed under News, potentially unwanted app.

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Posted by & filed under AVTest, News.

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing

Print

 

Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security (http://bit.ly/1xeqTz2). After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.

 

AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.

 

“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”

 

Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.

 

 

About AV-TEST

AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit http://www.av-test.org/

 

Posted by & filed under Uncategorized.

Authors: Tianfang Guo, Jinjian Zhai

Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.

gp

Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:

  • Retrieving call log/contacts/SMS/location
  • Uploading/downloading/removing arbitrary files
  • Sending SMS to subscribe fee-based services
  • Turning your phone to a spy camera

What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.

The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.

Using the notification service for command & control is quite a new way for a RAT, for those advantages:

  • No need for server side – Baidu’s server will take care of everything, from command console to push service.
  • Hard to be detected – Network traffic has no difference from normal push notifications

The developer console of Baidu cloud, which allows pushing a notification to any registered devices without writing a single line of code.
Screen Shot 2015-04-07 at 4.29.47 PM

The control procedure is as follows:
Untitled drawing

The RAT handling the commands sent via notification:
Screen Shot 2015-04-07 at 4.21.16 PM

Also we found the developer has leaked his Baidu Secret Key, bad practice!
Screen Shot 2015-04-07 at 4.21.58 PM

Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
Screen Shot 2015-04-07 at 4.24.04 PM

A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.

Special Thanks to Steven Chen for providing us the sample.
References:
http://b0n1.blogspot.tw/2015/03/trojan-using-baidu-cloud-push-service.html

Posted by & filed under News, potentially unwanted app.

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1 Screen Shot 2015-03-16 at 8.23.30 PM Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

Posted by & filed under malware, zero-day.

unnamed

Authors: Tianfang Guo, Jinjian Zhai

The “Fake Amazon Giftcard” is a malware that has been breaking out in the last 48hrs. It’s pretty simple from the technical aspect, but has infected 4,000 devices and caused over 200,000 spam SMS worldwide in less than 24hrs (source: http://goo.gl/cFs2BG).

Let’s see what it can do:

    • The app presents itself into a “survey for giftcard” app to attract a user install.
gazon-home
    • After user has installed it, it will read the contact list, and send spam SMS, which includes a download link, to all the victim’s contacts. So it spreads like a worm.

 

Hey [contact name], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazonReward

    • The app’s interface is a series of surveys based on a web view, which will collect a lot of the user’s private information – especially those who are greedy for the giftcard. Also, the app includes an Advert SDK, to generate more profit.
gazon-scam2

Trustlook has intercepted a sample from our user base yesterday, Mar 3rd, and the dynamic analysis sandbox gave us a detailed report within 2 minutes:

Screen Shot 2015-03-04 at 5.03.36 PM Screen Shot 2015-03-04 at 5.07.26 PM

According to Virustotal, at the time of intercept, only 2 out of 57 Antivirus programs can identify it. After 24hrs, there are still 46 out of 57 AV programs blind to this simple malware. Nor is any AV program warning their users about the malicious link used to download the malware.

Screen Shot 2015-03-04 at 4.49.31 PM Screen Shot 2015-03-04 at 4.37.42 PM

-Another example that shows the superiority of behavioral analysis in the modern mobile era.

Posted by & filed under malware.

Authors: Jinjian Zhai, Tianfang Guo

Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware [1] at that time.

 

Initial scanning result.

 

The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.

 

The malware disguised itself as a google package.

 

It can even forbid ring and vibration in order to record the phone call in a file on the phone.

 

14d9f1a92dd984d6040cc41ed06e273e_forbid_ring

 

Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.

 

14d9f1a92dd984d6040cc41ed06e273e_file

 

The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off [2].

The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog [3] as well as the AVG blog [2].

First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:

 

interceptKeyBeforeQueueing

 

Second the code is redirected to the KeyEvent.KEYCODE_POWER case:

 

屏幕快照 2015-03-02 6.13.47 PM

 

Then the interceptPowerKeyDown() method is called:

 

屏幕快照 2015-03-02 6.15.19 PM

 

Finally the phone is closed when handling mPowerLongPress variable:

 

屏幕快照 2015-03-02 6.17.52 PM

 

Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff” [4] to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible [5] when turned off. The scanning result of the provided sample [4] has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.

The tool [4] was an implementation of the Xposed platform [6] , which is a dynamic hijack tool targeting Android phones [7]. Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class.  Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class

屏幕快照 2015-03-02 6.59.41 PM

 

In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:

 

屏幕快照 2015-03-02 7.11.54 PM

 

In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():

 

屏幕快照 2015-03-02 7.13.11 PM

 

The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:

 

屏幕快照 2015-03-02 7.18.49 PM

 

As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.

Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.

 

REFERENCE:

 

[1] https://www.virustotal.com/en/file/be0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88/analysis/

[2] http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

[3] http://www.jiandande.com/html/bianchengjiqiao/androidkaifa/2014/1128/5189.html

[4] http://security.tencent.com/index.php/opensource/detail/14

[5] https://github.com/monstersb/hijackAndroidPowerOff/blob/master/src/com/example/hijackpoweroff/Callbacks.java

[6] http://repo.xposed.info

[7] http://m.blog.csdn.net/blog/wxyyxc1992/17320911

 

 

 

Posted by & filed under Announcement.

Trustlook Antivirus & Mobile Security Reaches 3 Million Mobile Users

2014_Chritmas_Images-01

Trustlook Inc., an innovator in next-generation mobile security solutions, today announced as of Dec 24th, 2014, it has protected 3 million mobile devices across 226 countries with its most popular Android security application — Trustlook Antivirus & Mobile Security.

As more security breaches happened in 2014, many users started installing mobile security applications to protect their device and private data. Trustlook’s Antivirus and Mobile Security app provides a much quicker security response and more accurate analysis about security breaches and malware detection. It also offers comprehensive protection services such as anti-theft, data backup/restoration and a memory boost.

“Three millions users’ trust could not be a better Christmas gift,” said Allan Zhang, CEO of Trustlook. “The Trustlook team will continue focusing on designing and developing the best mobile security application. As for application licensing, we have no plan to charge users a $20-$30 annual fee and at Trustlook we always believe that the best things should be FREE.”

In its latest major release, Trustlook published two major features: 1) web security to filter out inappropriate web content to protect families and schools 2) pirated application detection to identify fake applications that have been installed on users’ phones to steal private information.

Posted by & filed under Announcement.

Dear customer,

In the past 48 hours, we have experienced very heavy traffic, which was double more than our server can afford. This resulted in process delay of servers and many users experienced unsuccessful sign in/up and related problems. We are sorry for the inconvenience and have worked in the problem in the past two days. Now all problems are solved and we apologize again for this accident. Please feel free to contact us if you have any questions in the future at support@trustlook.com. We hope you enjoy using our app and we would like to hear from you. Thanks for your support!

 

Sincerely,

Trustlook Team

 

 

Posted by & filed under News.

Our new widget provides users a quick way to boost device speed, open flashlight, scan virus and check weather information.

Trustlook’s latest version is ready to download now! In this new version of 2.4.3, we have the following updates:

  1. Widget & Floating Point
  2. New SD Card Scan Animation
  3. Add Dialog for you to check after resolved the problem
  4. Several Bug Fixed

Widgets make your phone experience easier, faster and more convenient. Now we have the choices to add one regular widget and one floating widget. Get excited about the new feature and can’t wait to try it immediately? Let’s see how to do!

download-button-orange

 

How to add the regular widget to home screen?

  1. Make sure you have enough home screen space to place Trustlook widget, it only takes 4×1 space (1 row)
  2. Long press and hold until you can choose “Widgets”,  find the name Trustlook Security on the widget pages, and drag it to home screen. (See demo below)
Screen Shot 2014-12-10 at 21.53.49

 

Screen Shot 2014-12-10 at 21.58.19

 

Screen Shot 2014-12-10 at 22.01.16

 

How to add the floating widget?

  1. Open Trustlook Antivirus & Mobile Security
  2. Select side Menu at the up right corner and then select About
  3. On the About page, select Settings, then turn on the Floating Widget  
Screen Shot 2014-12-10 at 22.09.26       Screen Shot 2014-12-10 at 22.10.15

 

4. After turned on the Floating Widget, a blue circle (with white inner) appears and you can touch the circle to show or hide the Floating Widget.

Screen Shot 2014-12-10 at 22.14.25

 

5. Press and hold the circle for 2 seconds to turn off the Floating Widget

Screen Shot 2014-12-10 at 22.16.24

 

Hope you all enjoy using the new widgets! Try it here and feel free to tell us what you think about it so that we can improve and provide better service for you – support@trustlook.com. We’d love to hear from you!

 download-button-orange