Trustlook’s zero-day malware analysis


Trustlook Sentinel Whitepaper Now Available!

Are you interested in learning more about one of the most groundbreaking technologies in mobile security? Trustlook Sentinel is the first ever 100% behavioral based malware detection engine built into the operating system of a mobile device. It’s provides real-time zero day detection of malware. Download the whitepaper here and discover when Sentinel is considered a Read More

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices. First discovered in August 2016, BadKernel is a flaw in the Google Read More


  “这不是bug,是功能。” -程序员常说 “这不是漏洞,是后门。” -黑客们常说   Trustlook在之前的一篇Blog已经demo过360浏览器上的新“虫洞”漏洞,这次将公布一些细节。 360浏览器安卓版不用多介绍了,在360,腾讯和豌豆荚上的下载量加起来超过4.6亿。这次的“任意门”漏洞威力要大过百度“虫洞”及360手机助手“异次元之门”:攻击者并非受限于几个远程控制功能,而是可以执行任意指令。在root过的手机上,可以毫无问题的远程静默安装及卸载app。如果做成蠕虫,批量扫描3G/4G网络,并自动攻击传播,后果不堪设想。 漏洞的演示视频如下: 受影响的安卓版360浏览器版本为6.9.9.70 beta及以下。在11月23日,有白帽子将漏洞发到了乌云(,24小时内Trustlook发布了漏洞的demo(。360在同一天更新了修复漏洞的6.9.9.71 beta。鉴于此漏洞的巨大危害,我们没有马上公布漏洞利用细节,给了用户更多时间修补。 360浏览器在卸载的时候会弹出一个“用户调查”,询问用户卸载原因。这个功能是在一个叫um.3(UninstallManager的缩写)的so文件里实现的。这个库文件会开启一个独立进程,在收到卸载的消息后,会使用”am start”命令开启浏览器,显示“卸载调查”网页。 um.3从asset中被释放出来 um.3会占有一个独立进程 um.3的进程间通信机制是用一个自定义的HTTP server实现的。如同所有的虫洞漏洞一样,成了万恶之源。这个server会监听手机的6587端口,允许所有地址连接。但它支持的功能很简单:1. 查看版本 2. 开启浏览器 um.3会在第一次启动后监听6587端口 比如,弹出那个“卸载调查”的时候,执行的命令如下: /data/data/com.qihoo.browser/files/so_libs/um.3 com.qihoo.browser –execute am start -n -a android.intent.action.VIEW -d\\&Wid=81e188a23869a898d1343eaa20c11495 \\&Verc=\\&Mdl=iPhone\\&Osver=4.2.1\\&Net=WIFI\\&Chl=h986596 –user 0 但程序员在这里犯了很要命的错误。 1. 命令使用system函数执行,对命令本身没有任何过滤。 2. 弹出网页的url是作为命令的一部分传进去的,而这个url是远程可控的,直接来自远程请求的GET参数。 只要攻击者利用分号将前一条命令分隔开,后面写的所有恶意指令都会被360浏览器忠实的执行。。。 为了搞清楚这个HTTP server的一些逻辑,我们用IDA Pro/HexRay把um.3逆向成了C代码,并加了注释。关键的函数有两个:sub_9018和sub_9078,分别用来解析URL参数,和实现HTTP server逻辑。有兴趣的读者可以点开大图看。 简而言之,出现问题的命令是这样的: am start -n com.qihoo.browser/.BrowserActivity -a android.intent.action.VIEW -d Read More

Analysis of the “Anywhere Door” Vulnerability on the 360 Browser

  “It’s not a bug. It’s a feature.” – A developer’s quote “It’s not a vulnerability. It’s a backdoor.” – A hacker’s quote   We first introduced “Anywhere Door” (in Chinese: “任意门”) in this previous article. “Anywhere Door” is a new Wormhole vulnerability that affects versions of the 360 Browser prior to beta. By sending a certain crafted Read More

Yet another Wormhole Vulnerability – Meet the “DimensionDoor”

  Authors: Tianfang Guo, Mengmeng Li Two weeks ago, the Wormhole vulnerability was in the wild, and affected more than 100M Android users. As you may already know, the Wormhole is triggered on a customized HTTP service used for cross-app communication, allowing a remote attacker to bypass the security check and issue a variety of Read More

The WormHole Vulnerability: The Number of Affected Apps is Increasing

The “WormHole” is a critical vulnerability on Moplus SDK on Android, which is used by major Baidu products, as well as some other apps. In summary, this vulnerability is caused by “ImmortalService” – a customized HTTP service used for cross-app communication. Because “ImmortalService” uses an incorrect approach to filter requests from outside the phone, a Read More

“Reflections on Trusting Trust” – Some Thoughts on the XcodeGhost Incident

Authors: Tianfang Guo, Jinjian Zhai (Further reading about the XcodeGhost: the original story and detailed analysis) Reflections on Trusting Trust In 1984, Ken Thompson, “Father of Unix”, mentioned in his speech about the first compiler backdoor he once made, which allows him to login with “su” privilege into any Unix systems in the Bell lab Read More

Fallout from the Android Stagefright OTA Update: Trustlook Mobile Security Memory Boost Stays alive while other Task Management Apps are Left Disabled

Google addressed the Stagefright bug by solving and rapidly releasing the Android 5.1.1 Stagefright fix. However the fix broke the widely used “recent activity” log access for the developer community. As a result, the Stagefright “fix” disabled many popular task management, parental control and app-locker android applications. The Trustlook team moved quickly with a timely update of the Read More