Posted by & filed under News, vulnerability.


Days ago, Curesec had announced a vulnerability that allows the user to bypass phone call permissions on Android. A malicious developer could write an app that makes arbitrary phone calls, without the corresponding permission that an app should apply before making phone calls. Afterwards, the victim could face some expensive phone bills.

The affect Android versions include:

  • 2.3.3, API Level 10
  • 2.3.6, API Level 10
  • 4.1.1, API Level 16
  • 4.1.2, API Level 16
  • 4.2.2, API Level 17
  • 4.3 , API Level 18
  • 4.4.2, API Level 19

The vulnerability is caused by a logical error in the NotificationBroadcastReceiver class in package. When handling an ACTION_CALL_BACK_FROM_NOTIFICATION message, the code directly calls the dangerous ACTION_CALL_PRIVILEGED intent without the proper permission check, which allows an app to call any phone number by sending an ACTION_CALL_BACK_FROM_NOTIFICATION message to

The vulnerable code could be found at, in lines 1137 to 1145:

Screen Shot 2014-07-10 at 5.27.20 PM

To exploit this vulnerability, one could simply send an ACTION_CALL_BACK_FROM_NOTIFICATION message to the component, which carries the phone number inside the data content:

Screen Shot 2014-07-10 at 6.11.50 PM

Curesec has provided the proof-of-concept code and apk.

After having received the vulnerability report, the Trustlook team has added a detection module immediately. By using the static analysis engine, Trustlook Antivirus can detect the exploited code before it is triggered. So far, we haven’t detect any malwares that exploit this vulnerability to gain profit via unauthorized phone calls.

Screen Shot 2014-07-10 at 6.03.08 PM
Screen Shot 2014-07-10 at 6.02.54 PM

Posted by & filed under potentially unwanted app, vulnerability.


The Trustlook security team has recently discovered a number of apps that use the “TrustAllCerts” method in the SSL connection, which renders the secure connections built in these apps meaningless. An attacker could use a self-signed certificate to establish a connection with the victim, and become the Man-in-the-Middle for all the network traffic between the victim and the HTTPS server (In a real-world attack, this can happen on a ARP Spoofing attack, or on a compromised router). Afterwards, the attacker could intercept or even forge the network traffic (e.g. Username and Password submitted via form) sent in a SSL connection.

The root cause for this vulnerability is because some developers reloaded the checkClientTrusted() and checkServerTrusted() methods upon the SSL connection and made them return without actually checking. It is convenient under some certain scenarios (e.g. debugging), but after reloaded these methods, the app would completely neglect the validity of the certificate. According to our scanning result on Google Play, a large number of apps and SDKs have reloaded those methods, and some of them will leak sensitive information.

Untitled drawing

Take the Skout Android app as an example, which is a popular social app with 10M-50M installs:

Screen Shot 2014-06-11 at 10.18.40 PM
Screen Shot 2014-06-11 at 10.19.27 PM

The code that disables the certificate check(click to enlarge):

Screen Shot 2014-06-11 at 10.40.38 PM

We wrote a Proof-of-Concept tool, which could used self-signed certificate to establish a Man-in-the-Middle connection and sniff Skout’s network traffic. As you can see, the plaintext username and password could be intercepted:


Posted by & filed under malware.

Openness often brings about security risks. Several days ago, Szymon Sidor has published a blog that proved it possible to take a photo or video on Android without displaying any notifications. A malware can send the photos over the internet to the C&C server and spy on the victim. This is shown in the Proof-of-Concept below:

Taking photos without giving the preview UI is not recommended by Android, but it’s doable. It seems like a feature rather than a bug. Actually, lots of existing Android apps have already implemented this feature – take the “Find my Phone” app as an example. It can take photos using the front camera without giving any notifications, intended to snap the thief’s face once your phone is stolen.

According to our test, there are at least 3 ways of hiding the preview UI:

  • Set the preview UI size small enough (e.g. 1×1 pixel)
  • Set the preview UI margin large enough that it exceeds the visible screen area
  • Create the preview UI by using new() and not setting its position/size

We also made a Proof-of-Concept app, which could turn your phone into a spy camera, to demonstrate how easy it is to turn a feature into a malware.

Although not every backend snapping is malicious, it’s suspicious behavior. Trustlook Platform will log all the backend camera activities:

Screen Shot 2014-05-29 at 8.32.06 PM Screen Shot 2014-05-29 at 8.34.15 PM

The PoC code can be found at:

Posted by & filed under malware, potentially unwanted app.

What is a Ransomware?

When talking about the cybercrime industry, “business model” is often more important than technology itself. Ransomware is a kind of malware that restricts access to users’ system or data, and blackmails the victim for money to get the restriction removed. One of the most well-known(and profitable) ransomware on PC was Cryptolocker. Emerged in Eastern Europe and grown internationally at the end of 2013, Cryptolocker could encrypt the victim’s hard drive, and ask for 400 USD or equivalent value of Euro/BTC for the private key to decrypt. ZDNet once traced the four Bitcoin wallets used for receiving ransom, it shows a income of 41,928 BTC between October 15 and December 18, worth US$27 million at that time.[1]


Ransomwares on Android

While initially popular on PC, the ransomware scams has begun to cross-platform to Android. In this article, we will discuss 2 Android ransomwares our platform intercepted. The “Fakedefender” and “BaDoink”. Comparing to their PC version. Both technical standard and threat level is significantly lower, and mostly rely on social engineering for money scam.

Screen Shot 2014-05-19 at 10.15.10 PM
  • Name: Fakedefender (Trojan.FakeAV.D)
  • Package: com.avastmenow
  • MD5: E790C4295B8ADB23D090BAE5D6EB786A

Fakedefender is a very simple app, which only contains basic UI, and technically harmless to your phone. It pretended to be a pornography app, and an “antivirus” window (disguised as Avast) will suddenly pop up. Afterwards the following screen will be displayed, telling you that your phone has been locked and you need to pay $300 via MoneyPak to get it “unlocked”.

Screen Shot 2014-05-19 at 10.15.30 PM
  • Name: BaDoink (Trojan.Koler.A)
  • Package:
  • MD5: FB14553DE1F41E3FCDC8F68FD9EED831 / 67bde6039310b4bb9ccd9fcf2a721a45

Have you ever watched child porn? FBI is coming for you! The Trojan.Koler.A blackmails the user in a more professional way: It shows your IP and location, threats the you to be put in prison for 5-11 years due to downloading child porn – unless you pay a $300 fine. Moreover, it will keeps poping up the warning screen every minute, and hook the receivers to pop the warning screen every time you unlock the phone.


Threat or Bluffing?

Strictly speaking, those 2 examples are not “ransomware”, but scam apps. Because they cannot deal actual damage to the user’s data or phone. They scam money purely by social engineering. This is not only due to the malware developer’s technical skills, but also the design of Android. On Windows, every application would have full access of the entire storage by default, including the user’s personal data and system files. However, the Android apps’ permission is much more restricted. It’s storage access is limited to the app’s folder by default.

Let’s think from the attacker’s perspective: Is it possible to make a Android ransomware like PC Cryptolocker? The answer is yes. It is still doable for an Android developer to make an ransomware that can actually damage your phone or data to force you pay ransom.

Firstly, every app could access the SD card by applying the permission android.permission.WRITE_EXTERNAL_STORAGE. The attacker could write an app to encrypt the victim’s SD card, which may contain important data, and blackmail the user just like Cryptolocker does.

Second, there is an Android feature that can grant developer a higher privilege – the Device Admin APIs. It’s a powerful tool used by enterprises applications, which could change the phone’s passcode, encrypt the storage and even wipe out all data from the phone. To enable the device admin APIs, all a malware developer needs to do is to try attracting user to click “allow” on the permission screen.


Think about it, most users don’t know what is device admin, what can it do and how to disable it. Some users are getting used to click “allow” on all permission screens, especially when the ransomware is disguised into another trusted app. After the user clicked “allow”, the question would become: would you pay a few hundred bucks to save your phone data from being wiped out (or the passcode to re-access your phone)?

Third, for the rooted phones, the ransomware would have privilege to deal enough damage. Also, the ransomware might exploit vulnerabilities like “master key vulnerability” to escalate its privilege to a system app.

In conclusion, although the existing Android “ranspmwares” can be rather called a bluffing, the possibility of making a real “Android Cryptolocker” still exists, despite of the Android’s sandbox architecture. Trustlook Antivirus can now perfectly detect the ransomwares mentioned in this article.


[1] CryptoLocker’s crimewave: A trail of millions in laundered Bitcoin

Posted by & filed under News, vulnerability, zero-day.

Trustlook security team has decided to disclose a vulnerability we discovered on Audible, an Amazon App.

Screen Shot 2014-05-05 at 2.08.24 PM

Audible is a popular audio book App with 10M-50M installs. When accessing the backend server on AWS, Audible improperly handles the access method. The AWS credentials with the root privilege has been hardcoded inside the binary code of a library file. An attacker could extract the keys by reverse engineering, and gain access of Audible’s cloud infrastructure, do anything on behalf of the developer’s AWS account, including:

  • Create or shut down Amazon EC2 hosts
  • Add or delete Amazon S3 storage servers
  • Manipulate SNS and SQS services
  • Other features supported by AWS API: access backup volumes/snapshots, change security groups, etc…


Screen Shot 2014-05-05 at 2.54.33 PM

The possibility that unauthorized access and data leak has already happened on Audible’s cloud server cannot be excluded.

After the initial reporting, Trustlook has been actively contact Audible to fix this issue. On April 22, Audible has patched this vulnerability in a new release.



Mar 29  Vulnerability discovered
Apr 4  Vulnerability reported to Audible
Apr 17  Contact established
Apr 17  Audible claims a fix was in place, pending on releasing
Apr 22  Fixed version released on Google Play
May 5  Disclose

Posted by & filed under News, vulnerability.

This report is written 16 days after the vulnerability’s initial disclosure. The Trustlook team has analyzed Alexa’s top 1 million websites and over 120,000 apps from Google Play. To show you Heartbleed’s aftermath after 2 weeks and onward.

According to the scan results of the Alexa top 1 million websites, 451,470 websites have enabled SSL connections, and of them, 19,566 or 4.4% of websites are still vulnerable.

Screen Shot 2014-04-23 at 9.24.37 PM copy
Vulnerable websites, by percentage

Screen Shot 2014-04-25 at 11.58.14 AM
Vulnerable Websites, by Category

For mobile platforms, Android 4.1.1, which occupies 7% of Android market share, is vulnerable due to the OpenSSL version it used. What makes things worse is that Android is a highly fragmented OS, some 3rd party ROMs react slowly on patches and updates. After scanning 120,000 apps from Google Play, 8.7% of the apps that enables SSL connection have been found vulnerable, which affects more than 150 million users.

Screen Shot 2014-04-23 at 9.25.48 PM copy
Vulnerable Android Version, by percentage

Screen Shot 2014-04-24 at 11.50.37 AM copy
Vulnerable Android Apps

Screen Shot 2014-04-16 at 5.41.59 PM

Posted by & filed under Uncategorized.

We know the Heartbleeding is going on crazy. As some of the mobile devices is also impacted.  In order to easy your scan and testing work. Here Trusltook Research team has released a tiny swiss army toolkit, Heartbleed Pulse in Google Play.

Get it on Google Play

The application is super easy to use, It contains three sections.

At the first section, it will show your device information which includes the OpenSSL library is vulnerable or not and has the heartbeat feature is enable or not.




The second section contains the app scan feature. After simple click , the app scan result will be display at all



Third section listed some patched and unpatched website.If you want to test again your website, just fill your domain name in the text box and then click “check” button and  The result will come back in seconds.




Trustlook Antivirus

Trustlook Antivirus

If you want to get more protection, you can always download and install Trustlook Antivirus to get you more protection.



Posted by & filed under News, potentially unwanted app, vulnerability.


You may have heard that Heartbleed is a vulnerability that mainly affect the server side, for example, leaking your session IDs, account passwords and cookies while you are surfing a website, regardless of what client side you are using, a browser or an app.

According to our scanning, we found 24 apps have accessed Heartbleed impacted URLs, which means all the data that app communicated with server are in danger of being compromised by hackers. We already marked those apps as “High Risk” in Trustlook Antivirus.

Trustlook will keep updating the scanning results, add the newly found ones and remove the fixed ones. If you see the following warning, be careful:


Posted by & filed under News.

Screen Shot 2014-04-10 at 5.02.47 PM


This is a follow up about our previous post. We have found a popular file management & cloud storage app “File Expert” (over 20 million installs) has leaked their AWS credential in APK file, which allows attackers to gain access of the Amazon cloud infrastructure.

Screen Shot 2014-03-29 at 11.21.21 AM

Trustlook has been worked with File Expert team and the problem has already been fixed. The original leaked key is no longer valid, and the newest version has changed the implementation on accessing AWS. As the fix is on server side, it can no longer be exploited regardless of the app version.

We’ll keep update on our progress and discoveries on credential leak vulnerabilities.


Mar 30: Vulnerability discovered when scanning on Google Play
Apr 1: Notified Vendor
Apr 2: Vendor responsed, started investigation
Apr 6: Vulnerability confirmed and fixed.
Apr 10: Disclose

Posted by & filed under malware, potentially unwanted app.

Phone number is your important privacy. Any apps should not send it outside without your approval. Every week we find hundreds of apps that have stealing behavior. Here are some of them that we found last week. All of them has been identified as “high risk” on Trustlook Antivirus.

Business Insider
100,000 – 500,000 Installs

Report   Trustlook12 Report   Trustlook13

Block Calls & Caller ID
1-5 million installs

Report   Trustlook6

Report   Trustlook7

Tone Room Deluxe
1-5 million installs

Report   Trustlook4

Report   Trustlook5

Total Equipment Protection App
1-5 million installs

Report   Trustlook2

Report   Trustlook3

Antivirus & Security
100,000 – 500,000

Report   Trustlook10

Report   Trustlook11

Zlango Messaging

Report   Trustlook

Report   Trustlook1