Posted by & filed under malware, potentially unwanted app, Virus, zero-day.


Authors: Tianfang Guo, Jinjian Zhai

(Further reading about the XcodeGhost: the original story and detailed analysis)

Reflections on Trusting Trust

In 1984, Ken Thompson, “Father of Unix”, mentioned in his speech about the first compiler backdoor he once made, which allows him to login with “su” privilege into any Unix systems in the Bell lab in the 1970s. To find this backdoor, his colleges reviewed the source code of Unix and found nothing. And they have never suspected it’s the compiler that planted the backdoor. The author believes that Ken is telling us, before searching for security holes, one should first be clear about which party he could and couldn’t trust, that’s why Ken named that speech “Reflections on Trusting Trust”.

And 30 years later, we witnessed the consequence of “Trusting UnTrust” – everyone gave enough alertness to the apps, but gave unconditional trust to the compiler which builds apps. As a result, the XCodeGhost infected more than 4000 apps on the iOS App Store, according to FireEye.

The injected malicious code could upload the victim’s privacy to a remote server, it could also pop up message boxes upon server request, which can be potentially used for phishing or attracting users to download more malicious apps. Luckily the last functionality seemed not been used till the C&C server was shutdown. Yet it would have been still possible for an attacker from world-wide-web to hijack the HTTP traffic and reactivate this backdoor.

Screen Shot 2015-09-22 at 7.47.47 PM
Screen Shot 2015-09-22 at 7.48.29 PM

Apple has also reacted to this incidence by pulling off 400+ infected apps:

The XcodeGhost is the first successful example of distributing large number of malwares into the iOS App Store. The impact is Many questions need to be raisen.

Who’s at fault?

Most victims are from China, and it’s understandable. It took days to download the Xcode in China from the official source. Some places are suffering from frequent disconnections (not sure if it’s caused by Great Fire Wall), making a complete download the mission impossible. On the other hand the local download links could be easily found in developer communities and were conveniently hosted by Chinese cloud storage vendors such as Baidu. The hacker apparently took advantage of the situation to launch such attack. Like Ken’s story in 1970s, people fully trusted the infected build environment which is distributed via the peer-to-peer downloading channels.

What surprised us is, despite the individual developers, even the largest players in the industry were not survived, e.g. Tencent. The large companies certainly have the condition to download their IDEs from official sites, e.g. using a Virtual Privacy Network. Lazy or ignorance? Apple could also have deployed their CDN servers in China, but they choose to ignore the developers from their 2nd largest market.

Also, repackaging a signed dmg file should not be an easy job on OS X . After 10.7.5, the Gatekeeper mechanism is introduced, which will verify an app’s file digests upon the first launch. In this case, Adding or modifying the files in a dmg will cause verification failure and rejection.

The Gatekeeper is turned on by default. According to our survey, most iOS developers has turned it off, some said it’s for the convenience of adding 3rd party extensions to Xcode.


Is it over?

There are follow-ups about this incident: the Unity framework distributed in China has also been found infected. The samples have the same malicious logic. The only difference is the domain names of the C&C servers.

Technically, the Android IDE is as fragile as Xcode under an attack of compilers. As is shown below, all the foundamental Java packages are under the /lib folder of the project. It’s entirely possible to inject the malicious code into one of them, and to repackage the installation dmg of Android Studio. As a result all the APKs built by the Studio ( including the IDE ) will be infected.

Trustlook is closely watching the similar attacks on Android. We will update the blog if we found any infected frameworks.

Screen Shot 2015-09-23 at 1.15.46 AM

Posted by & filed under vulnerability, zero-day.

Authors: Tianfang Guo, Jinjian Zhai, Allan Zhang

“When you do not have the means to attack your enemy directly, then attack using the strength of another. Trick an ally into attacking him, bribe an official to turn traitor, or use the enemy’s own strength against him.”
– “Kill with a borrowed sword”, Thirty-Six Stratagems, Sun Tzu

After showing the “master key” and “FakeID” vulnerabilities in Android’s signature verification, today we demonstrate a new vulnerability. This was first discovered by Alibaba’s security team and disclosed on BlackHat Mobile Security Summit 2015.

In this article we will highlight one of the major vulnerabilities in Android signature verification, and demonstrate a new way to exploit this vulnerability- “To kill with a borrowed sword.” Namely, getting AntiVirus software to remove an innocent target app.

Android’s signature mechanism

Android is decentralized not only in its system, but also in its app distribution. To ensure an app’s integrity and traceability, Android enforces that all apps must be signed by the developer’s’ private key. After being signed, an app will be linked to the developer with that developer’s public key (or certificate). Thus any changes in the package will result in signature verification failure and rejection upon installation.

Screen Shot 2015-09-02 at 5.39.33 PM

The signature verification process is shown in the figure above. Each file in the package will generate a digest using the SHA-1 hash function. Afterwards, they will be encrypted by the developer’s private key and put into the certificate file (ended with .RSA or .DSA depending on the public key algorithm). Without the developer’s private key, nobody could forge or modify any file.

Screen Shot 2015-09-03 at 11.52.14 AM

SHA1 digests for the files in CERT.SF file in the META-INFO folder.

The vulnerability

There is a loophole in the Android’s signature mechanism: any file containing the APK file’s digest can not also be included in the file digest list.

This is obvious: it’s difficult to generate a file containing its own SHA-1 hash. In other words, finding a hash(AB) = A is undoable. So the digest summary file, CERT.SF, cannot contain its own SHA1 digest.

Let’s look in detail about how Android handle this dilemma:

In Android OS source code: libcore/luni/src/main/java/java/util/jar/
Screen Shot 2015-09-03 at 12.10.33 PM

Any file ended with .SF, .DSA, .RSA or .EC, and those in the META-INFO folder, will be ignored when verifying the signature. That gives attackers a chance, to put arbitrary files into the package without breaking the signature verification.

To launch an attack:

1. Prepare a malware file (e.g. the EICAR malware test file which can be identified by most AntiVirus vendors), and the APK you would like the AVs to remove.

2. Unzip the APK, put the malware file into the META-INFO folder, and zip it back. Due to the vulnerability, you now have a APK file which contains malware components, yet can still be identified as legit by the certificate verification.

3. Replace the original APK on users’ phone. You need a 3rd party app to download the repacked APK from Internet, and fool the user with an “upgrade notification”. Then the upgrade activity should be launched by the new Intent:

Intent intent = new Intent(Intent.ACTION_VIEW);
intent.setDataAndType(Uri.fromFile(new File(“[repacked APK path]")), "application/");

Even when the version of the repackaged APK is the same as the original APK, the repackaged one can still replace the original one.

4. Additional Attack: If the repacked APK is uploaded to Android app vendors, it will be identified as written by the original developer instead of repackaged by an attacker. If the designated Android market scans viruses before publishing, the original developer might be put in trouble because the repackaged app signed by their certificate contains malware(namely, the EICAR malware testing file).

The Proof of Concept video can be found in the link below, where the genuine ‘Angry Birds 2’ app is replaced by the repackaged app containing malware. Then the McAfee Anti-Virus software – with its signature based detection – identified it as malware:

To fix it

To fix this vulnerability, the digest files cannot be simply skipped when calculating the digest – at least not skipping by file extension or folder name. To solve the self-digest conflict, here is a simple idea: fill the self-digest with 0x00 before calculating the SHA1 of CERT.SF files:

Untitled drawing (6)

Through this approach, no file would be ignored: every file would be verified against the digest list. Any new file additions would cause authentication error.

Posted by & filed under malware, vulnerability, zero-day.

Google addressed the Stagefright vulnerability by rapidly releasing the Android 5.1.1 Stagefright fix. However the fix broke the widely used “recent activity” log access for the developer community. As a result, the Stagefright “fix” disabled many popular task management, parental control and app-locker android applications. The Trustlook team moved quickly with a timely update of the Trustlook Mobile Security application. “Memory Boost”, our task management feature continued to work as normal for millions of our users while others’ remain disabled.

The Nexus 6 Phone screenshot below shows all is A-OK. Users can continue to keep their Android devices running in tip-top shape.

The story started from the Black-Hat 2015 (08/01-08/06), when an exploit called Stage-fright was revealed to the public as a threat to over 95% Android devices. The Stage-fright exploit utilizes the media-play library of Android operating system and executes malicious code embedded in multi-media files. Later on 08/12/2015, Google released the OTA for the stage-fright bug fix to cope with the vulnerability.

While immediately after the users updated their Nexus 6 phones, they found:


As shown in the red box of the right-bottom part of the screenshot, the user of a famous Task Killer app with 50 Million to 100 Million download counts stated : “Latest update for Android 5.1.1 killed this app. …”

To further investigate the Android OTA update, we researched the top 10 Task Killer apps in Google Play and were shocked that ( as late as 08/14/2015 ) all apps which are supposed to kill other unauthorized processes were actually ‘disabled’ by the OTA update.

Here are a few examples of the most popular ones:

The aforementioned Advanced Task Killer App has more than 50 Million downloads:


Exactly as described by the review, the app failed to access any of the processes in the memory:



Here is another example:


Zapper Task Killer & Manager with more than 1 Million download counts was developed by a renowned mobile antivirus vendor. The process killer feature was blocked after the Android OTA update. Therefore, no process other than Zapper itself was recognized while several apps and games were still running in the operating system. It means that Zapper fails to access any recently apps, not to say forces them destroy.


The root cause of the problem is the new permission requirement of the ActivityManager.getRunningAppProcesses() method in Android 5.1.1 version. In the Android OTA update, the PERMISSION.REAL_GET_TASKS needs to be proposed to and granted by user in order to get the full list of tasks and processes.


From this series of stories with Stagefright, OTA and Task Killer, we can see that : due to the open-sourced nature of the Android Open Source Project (AOSP), vulnerabilities and exploits are discovered only a few days ahead of the real zero-day attacks. Hence the community is patching the Android operating system in a much faster speed and might require subsequent patches from the third party developers and antivirus vendors. In this evolving environment, the best strategy of Android users is:

1. to keep an keen eye on safety updates of both Android OS and Antivirus apps,

2. to always use the most updated versions to protect the devices and the data.


Please contact for comments.

Authors: Jinjian Zhai, Tianfang Guo, Weimin Ding, Wilson Ye




Posted by & filed under potentially unwanted app, vulnerability.

Authors: Jinjian Zhai, Tianfang Guo

Nasir al-Wuhayshi had a bounty of 10 million USD issued by the US State Department in October 2014, and was killed in a US drone strike in the Hadhramaut Governorate of Yemen on 12 June 2015.

Explaining the mystery of how al-Wuhayshi got pinned in a vast area of desert land mass, CNN reported : “This was more than just luck. … He got sloppy and moved in a way that he could be tracked. … Classified high tech gear makes the strike possible. Eavesdropping of cell phone and monitoring of social media by the intelligence community is at all time high.

According to CNN, eavesdropping on Nasir al-Wuhayshi’s cellphone disclosed his location, like something out of a 007 film. Mobile apps, especially social media applications, emerge as new sources of location intelligence.

Although this was an fatal example of the leakage of physical GPS metadata, the information was under the control of international law enforcement. You can imagine situations where the circumstances can evolve to be much worse had similar data been under the control of outlaws.

It seems similar privacy leakages aren’t as far off as Yemen. On June 17, Reuters reported large amounts of private data were stolen due to common flaws in application development: “Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

Below is an example of a leaked GPS location from a compromised android app.

com.songguo.hotel is a popular Android hotel booking app from, one of the biggest online travel services in China. The version we analysed sent GPS locations to Baidu Map service without any user input. The data, accurate to a few meters, was captured en route in plain text.

The plain text of GPS location.


The high accuracy location of the user is fetchable by GPS coordinates:



GPS stealing behavior can be detected by the Trustlook Mobile Security platform and application with the name “StealBy.Socket“.




The malicious “StealBy.Socket” behavior in Trustlook Mobile Security app:




Apps leaking GPS data were discovered as malicious by Trustlook Mobile Security:



There are ways to avoid leaking GPS location, including disabling location sharing entirely. Sometimes such notification windows are absent, just like the app we studied in this blog. Consumers should rely on Antivirus applications to be sure of privacy protection from not only malware but the also risky behavior of legitimate apps.

Other data leaks- including password, photos, and medical data, will be further investigated and published in the future. Stay tuned…

To read the full report of the sample from the Trustlook Antivirus platform, please contact :

Posted by & filed under malware, potentially unwanted app, zero-day.

Authors: Tianfang Guo, Jinjian Zhai; Special Thanks: Steven Chen

Last week, Trustlook exposed the Facebook credential phishing malware “Cowboy Adventure”. In the article we pointed out that phishing is one kind of behavior that is difficult to detect via an automated technical approach. This may be one reason it sneaked by the Google Play Store’s  “Bouncer” automated security check.

In this article, we will highlight several examples of Zombie malware on Google Play we very recently uncovered. These are Called  – “The “Clickers”.They commit another stealthy kind of malicious behavior, that  will likely be overlooked by automated analysis solutions.

“Clicker” is a malware that affects a large part of the mobile ecosystem creating fraud for the vendors, spamming the networks and exploiting the resources of user the community. This form of malware launches requests through Advertizing links. “Clickers” generate costly, false user traffic for advertisers, while draining the user’s battery life and consuming their monthly data plan bandwidth allowances. Everyone loses when a “Clicker” is unleashed.


Screen Shot 2015-07-13 at 3.46.01 PM Screen Shot 2015-07-13 at 3.46.10 PM


The latest malware we detected is called “Best: Dubsmash”. It has no actual functionality other than a confusing UI. Most users are likely to spend some time to figure out what it does. In the mean time, let’s see what is doing in the background:

Screen Shot 2015-07-13 at 3.47.28 PM


Communicate a C&C server. This server will serve the target URL that needs users to click.

According to our test, this URL will give different URLs each time you refresh it. Most of the URLs are porn sites.

Screen Shot 2015-07-13 at 3.48.05 PM

Our behavioral analysis shows the Zombie requests are generated by using invisible webview calls, in a continuous 20s time interval. There goes the user’s battery life and bandwidth. data plan. Also it will (or rather should) create events on a properly monitored corporate network. Just what your SecOps team needs, right? More Spam remediation.

Screen Shot 2015-07-13 at 3.48.45 PM


As of Jul 13 PST 2:40PM, this app, as well as 3 similar “clickers” are still alive on Google Play. We already reported this issue to our colleagues at Google Play and will look forward to timely remediation.

Screen Shot 2015-07-13 at 6.50.16 PM

Posted by & filed under malware, potentially unwanted app, zero-day.

Authors: Tianfang Guo, Jinjian Zhai

How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.

The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”.  After careful analysis our team found a devious and scary reason behind its user growth.

Screen Shot 2015-07-02 at 10.49.50 AM
Screen Shot 2015-07-02 at 10.50.03 AM
Screen Shot 2015-07-07 at 4.37.06 PM


Beginning of the story

Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:

Screen Shot 2015-07-07 at 5.06.03 PMf493908d8528286f25d4a51818c8d45c-1

After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.


The detailed analysis


Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.

The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.

The key code are from 2 dlls:

ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
2015-07-06 22_39_50-ILSpy
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.

Upon launching, the app will first communicate with a command & control server:
2015-07-06 22_38_07-ILSpy

The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.

During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
Screen Shot 2015-07-07 at 2.52.38 PM
In this case, the game will start without phishing.

However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Screen Shot 2015-07-07 at 4.04.55 PM

Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)

Here is the our reversed engineered code showing its logic:
Untitled drawing -2-

The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.

As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.

Cowboy2 -1-

After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:

Untitled drawing -3-

After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.

Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
Screen Shot 2015-07-07 at 3.02.31 PM
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.


Some thoughts

We have to ask: what’s going wrong? The author’s opinion is as follows:

1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.

2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.

3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.

4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.


Update on Jul 9 3pm PST:

After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.

Posted by & filed under malware, potentially unwanted app.

Authors: Tianfang Guo, Jinjian Zhai

When talking about the cybercrime industry, “business model” is more important than the technology itself. According to Security Magazine Cybercrime is costing businesses more than $1,500 per employee annually. That’s a likely a drop in the bucket compared to how much ransomware pirates are extorting from business.

Last year, we published an article “Android Ransomwares – A True Threat or Bluffing”. Reviewing it today, most of the predictions in that article about the technologies used on Android ransomware have come true. Driven by profits, the ransomware makers have shelfed ethicsand laws, trying everything to force the victims pay money. According to the Mcafee lab, the number of ransomwarerequests have grown 165% in Q1 2015. [1]

How can businesses proactively repel Ransomware? Trustlookhas reviewed large amount of ransomware samples in the last few weeks and is building a solution. This article analyzes the ideas and technologies behind the ransomware as well as introducing TrustLook’s solution of detecting them.

Ransomware is best analyzed through 3 key metrics: how they block the normal usage of your phone; in what way they receive a payment from the victim; and how they spread themselves. We will categorize the ransomware by the first and foremost metric, how they block the normal usage, which consists of three classes or levels of harm of severity:

  • Class A: They will cause software level damage to your phone:impairing data, and/or gaining higher privileges to maintain controlling and commanding. These Android ransomware do, on phone, as what the traditional ransomware do on PC.
  • Class B: They will not cause damage or gain higher privilege, but cause trouble on the regular usage of the phone: E.g. popping up “NAG”[2] messages that keep on top of the screen. They can be fixed in an easier way than Class A ransomware.
  • Class C: They do not use any technology to block the usage, instead they rely on fraud information and social engineering to con victims. They are scam apps in natural than ransomware.

We will only discuss Class A and B ransomware in this article. All the malware mentioned in this article is now detected by Trustlook’s security solution.

Class A Ransomwares:

Sample name: Android Performance Enhance
Package name: tx.qq898507339.bzy9
MD5: cdc77f3dfabdea5c5278ac9e50841ff3


  • – Forged into an system enhancement app
  • – Cheat the user to authorize the device admin, including changing screen-unlock password and lock screen permissions.
  • – Lock screen with a password, victims are supposed to contact the author and make a payment to get the unlock password. We pretended to be the victim and contacted the author. He asked 50 RMB (~$9), via AliPay (China’s paypal).
  • – Cannot be uninstalled using ADB due to the device admin privilege
  • – Spread mainly in China, via Baidu “Tieba” (like China’s reddit) and cloud storage

Screen Shot 2015-07-07 at 10.30.59 PM
Ask for device admin

Screen Shot 2015-07-07 at 10.31.55 PM

Lock screen with a password

Remove Difficulty: 4.5 stars
Transmission: 3 stars
Creativity: 3 stars
Overall Severity: 4.5 stars


Sample name: PornPlayer
Package name: com.ayurvedic
MD5: f91b39614dae1aae69337662dd287949


  • – Forged into a porn video player
  • – Ask for device admin for self protection
  • – Encrypt media files using AES algorithm, difficult to recover the files unless intercept the key before it’s sent out
  • – Pop up an always on top window, ask payment for the unlock key
  • – Stealing phone contacts and call logs
  • – Cannot be uninstalled using ADB due to the device admin privilege

Screen Shot 2015-07-07 at 10.33.25 PM


Screen Shot 2015-07-07 at 10.34.19 PM

Our sandbox has clearly intercepted the suspicious encryption operation and the encryption key:

Screen Shot 2015-07-07 at 10.35.17 PM

Remove Difficulty: 5 stars

Transmission: 1 star

Creativity: 2 stars

Overall Severity: 5 stars


Sample name: Flash Player
Package name:
MD5: 645a60e6f4393e4b7e2ae16758dd3a11


  • – Forged into the Flash Player
  • – Ask for device admin for self protection
  • – Forged FBI surveillance message, pop up with an interval of 5s
  • – Ask for $300 via MoneyPak voucher code
Screen Shot 2015-07-07 at 10.36.20 PM Screen Shot 2015-07-07 at 10.38.19 PM Screen Shot 2015-07-07 at 10.41.18 PM

Remove Difficulty: 4 stars

Transmission: 2 stars

Creativity: 3 stars

Overall Severity: 4 stars

Class A ransomware summary:

They are one of the most severe type of malware on Android. Their logic is straightforward: block your phone usage, make sure you cannot recover by your own, then ask you “data or money”.

As Android ransomwares don’t have the privilege of their Windows equivalent, the device admin became a critical path for them to do the damage (wipe data, lock screen with password) and self protection – and some users have no idea what device admin is, what can it do and how to revoke it. Even for experienced Android users, they won’t be able to get into the “settings” app to revoke it if the ransomware pops up an always on top activity by applying the SYSTEM_ALERT_WINDOW permission. (or exploiting the device admin vulnerability

Even without device admin, the WRITE_EXTERNAL_STORAGE permission will allow the ransomware to encrypt the files on SD card, including the media files, as “hostage”.


Class B Ransomwares:

Sample name: Video Player
Package name: com.adobe.videoprayer
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a video player
  • – Pops up a fake FBI surveillance message
  • – Set the activity always on top. Cannot dismiss using home/return button.
  • – Take photo at background as “evidence”
  • – Access the browser history
  • – Stealing the contacts, threat the user to send the “evidence of watch child pornography” to the victim’s contacts.
  • – Ask $500 via Paypal prepaid voucher card
  • – Send SMS at background to the victim’s contacts with the download link, to spread virally.

Screen Shot 2015-07-07 at 10.42.11 PM

Screen Shot 2015-07-07 at 10.44.06 PM Screen Shot 2015-07-07 at 10.45.04 PM Screen Shot 2015-07-07 at 10.48.09 PM

Our sandbox has intercept its background behaviors:

Screen Shot 2015-07-07 at 10.49.16 PM

Remove Difficulty: 3 stars

Transmission: 5 stars

Creativity: 4.5 stars

Overall Severity: 5 stars


Sample name: APK compiler
Package name: com.qq2395414390
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a APK enhancement app
  • – Pops up a windows that always on top. Unable to dismiss using home/return button.
  • – Plays very loud sound. Embarrass the victim in public.
  • – Victims are supposed to contact the author and make a payment.
  • – Spread via “QQ Groupchat”(famous PC messenger in China)

Screen Shot 2015-07-07 at 10.50.32 PM

Remove Difficulty: 2 stars

Transmission: 3 stars

Creativity: 3 stars

Overall Severity: 3 stars



Class B ransomware summary:

The main idea behind Class B ransomware is “social engineering”, rather than technology. They usually use some sneaky ways to make users fear or embarrassed, and pay money.

Most of them will abuse the SYSTEM_ALERT_WINDOW permission, to pop up an always on-top window.

On the other hand, as they don’t have device admin and file encryption, they can be easily killed by a single “adb uninstall” command by an experienced Android user. If their tricks are unveiled.





Posted by & filed under malware, News.

Security video surveillance

It’s common sense for Android users to check the permission list before installing an app. If the app asks for access to SMS, your contacts list or location, you know it may disclose your privacy. What if a game app only asked for the wifi_status permission? You might install it with ease – and unknowingly have enabled 3rd parties to track your location!

The Android LocationManager was considered to be the only way to acquire the location data, and required a user’s approval on the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. However, researchers at the Technical University of Denmark have discovered a covert channel to locate and track a user without permission by using the latent location signal disclosed by wifi scanning.

Android has opened wifi status data to developers. The only permission needed for developers is ACCESS_WIFI_STATE, which is common and considered low risk (vs.  privacy-sensitive ACCESS_COARSE_LOCATION). Information now accessible to an Android developer includes:

  • Scanned SSID list
  • Scanned BSSID list
  • Signal strength for scanned list
  • IP Address for connected AP


Note that these metrics are accessible even with system wifi and location disabled!  The code can be found here.

A phone can be easily tracked  with the BSSID and signal strength data.

What is BSSID?

BSSID is short for basic service set identification, which is the “MAC address” of the wireless access point. It is  generated by combining the 24 bit Organization Unique Identifier. In short, BSSID is the unique fingerprint for a wifi access point, unlike the SSID which is human readable and can be duplicated.

If we can acquire a list of nearby BSSIDs, while having the wifi Access Points’ (AP) locations, we could locate the user in a small area – as most of the wifi APs are stable and cannot broadcast further than 100m (research shows only 5% of them are mobile APs such as personal devices). Also, by using the real-time signal strength data, we will be able to estimate the user’s moving track.

Next question: How many BSSIDs have known locations? Many, if not most are available, through a variety of services, through API queries. The website claims to have 195,741,189 wifi hotspots’ location data:

Screen Shot 2015-06-02 at 6.13.30 PMScreen Shot 2015-06-02 at 6.11.06 PMScreen Shot 2015-06-02 at 6.12.18 PM


Living in the civilized world, could you escape such a web?

In the original paper, “Tracking Human Mobility using WiFi signalsz”, the authors highlight  an example of following a user’s movement,  tracking between home, 2 offices and a market, using the data from only 8 wifi access points:

Screen Shot 2015-06-02 at 6.22.15 PM


They also published a PoC app”WiFi Watchdog” on Google Play, I tried it and it was surprisingly accurate even though this app was granted no location permissions!



The same method also applies to iOS, which has greater user location data privacy protection.  Nonetheless, iOS still allows acquiring the current connected wifi BSSID.



A user can deny the location requests on an iOS device at will. However, an app using wifi BSSID can still get a user’s static location without asking.

Our research team is working on coverage of this covert channel privacy violation. Stay tuned for our update!




Posted by & filed under Announcement, New Feature.





What is “APK Insider”?

APK Insider is the first and only real time sandbox analysis in mobile security industry. Instead of simply doing the static analysis, it provides deep dynamic analysis to any apps in the device and discover potential 0-day threats.


In what scenario should I use APK Insider?

If you highly suspect if an app will do bad things on your phone – such as send SMS to generate fees, or steal your contacts, you can upload it to APK Insider, and we will run it before you do. Our sandbox will simulate a virtual Android system, and expose potential questionable behaviors upon running the app. Afterwards, a behavior report will be generated, with a conclusion if the app is safe or not.


Where is it?

Click the Menu button at the upright corner, you will see the beta version. Try it and let us know what you think so that we can improve!


How to use?

Choose the apps you want to check, click “Submit” and “Ok, sure” button to start analyzing.

Since we are doing the real-time analysis on our platform, please allow some time to process.

The apps will be categorized automatically into “Analyzed APKs” and be marked as safe or dangerous.

Simply click the dangerous app or the “Uninstall” button to eliminate potential risks.



Currently this feature is in its beta test stage and only open to selected customers.

Cannot see it in your app? Don’t worry, the official version is coming soon!

Let us know what you think if you tried it!

Posted by & filed under Announcement, News.


Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website ( and official website( The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.



  • Company Logo


  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.



  • App Icon


  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.


Screen Shot 2015-05-04 at 3.33.10 PM


Screen Shot 2015-05-04 at 3.33.56 PM



  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, and,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.





This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!


Best regards,

Trustlook Team