Posted by & filed under Announcement, New Feature.

 

 

AppInsider_blog_instruction2

 

What is “APK Insider”?

APK Insider is the first and only real time sandbox analysis in mobile security industry. Instead of simply doing the static analysis, it provides deep dynamic analysis to any apps in the device and discover potential 0-day threats.

 

In what scenario should I use APK Insider?

If you highly suspect if an app will do bad things on your phone – such as send SMS to generate fees, or steal your contacts, you can upload it to APK Insider, and we will run it before you do. Our sandbox will simulate a virtual Android system, and expose potential questionable behaviors upon running the app. Afterwards, a behavior report will be generated, with a conclusion if the app is safe or not.

 

Where is it?

Click the Menu button at the upright corner, you will see the beta version. Try it and let us know what you think so that we can improve!

 

How to use?

Choose the apps you want to check, click “Submit” and “Ok, sure” button to start analyzing.

Since we are doing the real-time analysis on our platform, please allow some time to process.

The apps will be categorized automatically into “Analyzed APKs” and be marked as safe or dangerous.

Simply click the dangerous app or the “Uninstall” button to eliminate potential risks.

 

 

Currently this feature is in its beta test stage and only open to selected customers.

Cannot see it in your app? Don’t worry, the official version is coming soon!

Let us know what you think if you tried it!

Posted by & filed under Announcement, News.

 

Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website (my.trustlook.com) and official website(www.trustlook.com). The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.

M4_NewBranding_Launching-01

 

  • Company Logo

 

  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.

 

 

  • App Icon

 

  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.

 

Screen Shot 2015-05-04 at 3.33.10 PM

 

Screen Shot 2015-05-04 at 3.33.56 PM

 

 

  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, www.trustlook.com and my.trustlook.com,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make my.trustlook.com, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.

 

home_trustlook-website_0316

 

 

This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!

 

Best regards,

Trustlook Team

 

 

Posted by & filed under News, potentially unwanted app.

Background_Privacy

Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

Reference
[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html

Posted by & filed under AVTest, News.

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing

Print

 

Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security (http://bit.ly/1xeqTz2). After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.

 

AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.

 

“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”

 

Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.

 

 

About AV-TEST

AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit http://www.av-test.org/

 

Posted by & filed under Uncategorized.

Authors: Tianfang Guo, Jinjian Zhai

Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.

gp

Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:

  • Retrieving call log/contacts/SMS/location
  • Uploading/downloading/removing arbitrary files
  • Sending SMS to subscribe fee-based services
  • Turning your phone to a spy camera

What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.

The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.

Using the notification service for command & control is quite a new way for a RAT, for those advantages:

  • No need for server side – Baidu’s server will take care of everything, from command console to push service.
  • Hard to be detected – Network traffic has no difference from normal push notifications

The developer console of Baidu cloud, which allows pushing a notification to any registered devices without writing a single line of code.
Screen Shot 2015-04-07 at 4.29.47 PM

The control procedure is as follows:
Untitled drawing

The RAT handling the commands sent via notification:
Screen Shot 2015-04-07 at 4.21.16 PM

Also we found the developer has leaked his Baidu Secret Key, bad practice!
Screen Shot 2015-04-07 at 4.21.58 PM

Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
Screen Shot 2015-04-07 at 4.24.04 PM

A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.

Special Thanks to Steven Chen for providing us the sample.
References:
http://b0n1.blogspot.tw/2015/03/trojan-using-baidu-cloud-push-service.html

Posted by & filed under News, potentially unwanted app.

7d1122f8ba00dcdc1a29a65846f0d2fe5277f912-7ea2b1fca50bd97480a5cee105eefdad-hero_image-resize-260-620-fill

“Only when the tide goes out do you discover who’s been swimming naked”. – Warren Buffett

Screen Shot 2015-03-16 at 7.06.43 PM

We recently found the “Automatic Virus Scanner” (ggg.tools.anti01), an Antivirus app with 100k-500k downloads on Google Play, was actually a “placebo” – in other words, it has no functionality on protection at all.

This app is developed on Unity framework, with quite a lot of animations and sounds. Take a look:

Screenshot_2015-03-17-10-59-17 Screenshot_2015-03-17-11-02-02 Screenshot_2015-03-17-11-02-10

First time using it? You will be scared by finding so many “red viruses” in your phone.

Screenshot_2015-03-17-11-02-20 Screenshot_2015-03-17-11-02-28

After clicked the “clean” button, it will start “bombing” the viruses. And if you scan again, it will show the clean result.

Looks real huh? Let’s find out what’s going wrong!

Screen Shot 2015-03-16 at 7.08.54 PM Screen Shot 2015-03-16 at 7.42.17 PM

The code (developed in C# in Unity framework) for “scan” logic will read several values from a local XML file, which contains the “last scanned date” (“y”, “m” and “d” value) and “whether the user scanned before” (“f”) value. If the user has not scanned before or the last scanning has passed for 3 days, it will play the “red virus” animation and display “virus detected”. Otherwise, display “no virus”.

Screen Shot 2015-03-16 at 7.18.54 PM

The local XML file, the only basis for showing positive result or not. It stores the time point that the app “should” detect virus. The “f” value indicates whether the user has clicked “clean virus” before. If you delete this file, you will find it always detects virus.

Also, due to our dynamic analysis sandbox, only the statistics and ADs URL has been visited when using this app. No backend is found. Nor did it access any local apks during the scanning.

1 Screen Shot 2015-03-16 at 8.23.30 PM Screen Shot 2015-03-16 at 8.20.14 PM

2
Statistics and Ads are accessed, but no backend is found. It writes a config file, but no local apk file is accessed. How could it “scan”? It seems this app only delivers a “sense of security” rather than solid protection.

Posted by & filed under malware, zero-day.

unnamed

Authors: Tianfang Guo, Jinjian Zhai

The “Fake Amazon Giftcard” is a malware that has been breaking out in the last 48hrs. It’s pretty simple from the technical aspect, but has infected 4,000 devices and caused over 200,000 spam SMS worldwide in less than 24hrs (source: http://goo.gl/cFs2BG).

Let’s see what it can do:

    • The app presents itself into a “survey for giftcard” app to attract a user install.
gazon-home
    • After user has installed it, it will read the contact list, and send spam SMS, which includes a download link, to all the victim’s contacts. So it spreads like a worm.

 

Hey [contact name], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazonReward

    • The app’s interface is a series of surveys based on a web view, which will collect a lot of the user’s private information – especially those who are greedy for the giftcard. Also, the app includes an Advert SDK, to generate more profit.
gazon-scam2

Trustlook has intercepted a sample from our user base yesterday, Mar 3rd, and the dynamic analysis sandbox gave us a detailed report within 2 minutes:

Screen Shot 2015-03-04 at 5.03.36 PM Screen Shot 2015-03-04 at 5.07.26 PM

According to Virustotal, at the time of intercept, only 2 out of 57 Antivirus programs can identify it. After 24hrs, there are still 46 out of 57 AV programs blind to this simple malware. Nor is any AV program warning their users about the malicious link used to download the malware.

Screen Shot 2015-03-04 at 4.49.31 PM Screen Shot 2015-03-04 at 4.37.42 PM

-Another example that shows the superiority of behavioral analysis in the modern mobile era.

Posted by & filed under malware.

Authors: Jinjian Zhai, Tianfang Guo

Spying Android phone has been a steadily growing malware group since early 2014. For example a sample of Android.Spy malware family (MD5: 14d9f1a92dd984d6040cc41ed06e273e) was firstly reported on 01/26/2014 with only 1 out of 48 AV vendors detecting it as malware [1] at that time.

 

Initial scanning result.

 

The malware disguised itself as a kind of google service and tried to monitor the android phone and intercept incoming calls to record the audio.

 

The malware disguised itself as a google package.

 

It can even forbid ring and vibration in order to record the phone call in a file on the phone.

 

14d9f1a92dd984d6040cc41ed06e273e_forbid_ring

 

Then the recorded audio file can be uploaded with other files as soon as the malware client app receives the “FIL” command from the command and control (CNC) server.

 

14d9f1a92dd984d6040cc41ed06e273e_file

 

The spying malware family never stops evolving. Recently it was reported by AVG Virus Labs that a new malware can spy on users even when the mobile phone is turned off [2].

The story starts when you press the power button. The sequence of Android events, when the power button is pressed, has been reported in some earlier blog [3] as well as the AVG blog [2].

First the PhoneWindowManager.interceptKeyBeforeQueueing() method is called:

 

interceptKeyBeforeQueueing

 

Second the code is redirected to the KeyEvent.KEYCODE_POWER case:

 

屏幕快照 2015-03-02 6.13.47 PM

 

Then the interceptPowerKeyDown() method is called:

 

屏幕快照 2015-03-02 6.15.19 PM

 

Finally the phone is closed when handling mPowerLongPress variable:

 

屏幕快照 2015-03-02 6.17.52 PM

 

Following such process, Tencent Labs published an open-sourced proof-of-concept (POC) tool – “hijackAndroidPowerOff” [4] to demonstrate how the TelephonyManager class is duped to set the victim phone as accessible [5] when turned off. The scanning result of the provided sample [4] has been unknown since it was published. Because the platform the tool bases on is considered benign in a lot of scans, it’s highly doubted the tool can be detected as malware.

The tool [4] was an implementation of the Xposed platform [6] , which is a dynamic hijack tool targeting Android phones [7]. Relying on the xposed package to hack most of the Android SDK, the hijackAndroidPowerOff tool plays a trick to hook the shutdown() method in the PhoneWindowManager class.  Using the de.robv.android.xposed.XC_MethodHook abstract class that xposed package provides, the hacker overrides the afterHookedMethod() in the XC_MethodHook class

屏幕快照 2015-03-02 6.59.41 PM

 

In the overriding function, the shutdown() method leads toward the fake “Shut Down” dialog, and starts the myCancelShutdownDialog Runnable, whose name implies it’s the fake version of the authentic myShutdownDialog Runnable:

 

屏幕快照 2015-03-02 7.11.54 PM

 

In the strangely named myCancelShutdownDialog Runnable, the run() method is overridden to run all necessary steps before shutting down the phone; except replacing the “shutdown” system call by goToSleep() method. Then the hackers adds the extra call-monitoring method — listenCall():

 

屏幕快照 2015-03-02 7.13.11 PM

 

The listenCall() method leads to a BroadcastReceiver service which is no more than an ordinary call monitoring function. It should be noted that meanwhile the phone is actually sleeping instead of shutting down, although they both possess a black screen:

 

屏幕快照 2015-03-02 7.18.49 PM

 

As we stated in the beginning of the blog, the call-monitoring code can be easily replaced by many possibilities of malicious injections such as audio recording and CNC client when the Android phone is actually sleeping instead of powered off.

Furthermore, such code is based on the popular tools like xposed, and conceals itself in com.google or obfuscated package names. The signature based AV vendors are not able to detect the real snippet of the malware. In this case, we can only depend on behavior based anti-virus tools to find the needle in the haystack.

 

REFERENCE:

 

[1] https://www.virustotal.com/en/file/be0df39d6e334908c685e4c77b89efc49cc9bddc528a7c2434576b5a8b740f88/analysis/

[2] http://now.avg.com/malware-is-still-spying-on-you-after-your-mobile-is-off/

[3] http://www.jiandande.com/html/bianchengjiqiao/androidkaifa/2014/1128/5189.html

[4] http://security.tencent.com/index.php/opensource/detail/14

[5] https://github.com/monstersb/hijackAndroidPowerOff/blob/master/src/com/example/hijackpoweroff/Callbacks.java

[6] http://repo.xposed.info

[7] http://m.blog.csdn.net/blog/wxyyxc1992/17320911

 

 

 

Posted by & filed under Announcement.

Trustlook Antivirus & Mobile Security Reaches 3 Million Mobile Users

2014_Chritmas_Images-01

Trustlook Inc., an innovator in next-generation mobile security solutions, today announced as of Dec 24th, 2014, it has protected 3 million mobile devices across 226 countries with its most popular Android security application — Trustlook Antivirus & Mobile Security.

As more security breaches happened in 2014, many users started installing mobile security applications to protect their device and private data. Trustlook’s Antivirus and Mobile Security app provides a much quicker security response and more accurate analysis about security breaches and malware detection. It also offers comprehensive protection services such as anti-theft, data backup/restoration and a memory boost.

“Three millions users’ trust could not be a better Christmas gift,” said Allan Zhang, CEO of Trustlook. “The Trustlook team will continue focusing on designing and developing the best mobile security application. As for application licensing, we have no plan to charge users a $20-$30 annual fee and at Trustlook we always believe that the best things should be FREE.”

In its latest major release, Trustlook published two major features: 1) web security to filter out inappropriate web content to protect families and schools 2) pirated application detection to identify fake applications that have been installed on users’ phones to steal private information.