Do You Know Where the Internet is Most Dangerous?

Trustlook, the global leader of AI-powered cybersecurity has published an internet security map based on data they collected.

Trustlook provides cybersecurity support for over 150 million mobile devices worldwide, most of them from ubiquitous brands such as Huawei and Oppo. Having such a widespread presence provides Trustlook a global perspective on the state of mobile security.

Based on data collected during September 2018, Trustlook has discovered that China has the largest quantity of malware in the world, and that regions such as Africa and Oceania have the highest mobile infection rates.

China has the largest quantity of mobile malware in the world.

Trustlook collects mobile security data during the process of protecting user devices, scanning their phones or IoT devices for malicious applications and files. For data collection, different applications count as different samples but the same application in different devices count as the same sample; the resulting “malware count” of a region refers to the number of unique malware endemic there.

According to the data, China’s malware count is the highest, followed by the United States, Canada, Indonesia, and Brazil. In the following table, countries and regions are sorted by their malware counts.

The most obvious caveat is that these regions have higher counts because there are more users and applications. Markets such as China and the United States are frankly much larger than other sampling regions, motivating more malware diversity and development.

Therefore the data for malware count in each region is not as meaningful as it would appear at first glance. A deeper analysis of the data was required, to see if the regions with top malware counts are actually as dangerous as they seem.

Africa and Oceania have the highest malware concentration.

When discussing whether a region’s internet is safe, it makes more sense to measure the ratio of malware counts to data samples rather than the malware count. This way, we can better quantify the malware concentration of a particular region.

According to Trustlook’s analyses, the malware to sample ratio is highest in the Solomon Islands, followed by Palau, Haiti, and Burundi.

Surprisingly, China which has the highest malware count isn’t even in the top 30 when using the new metric. We can also see from the above table that there are no North American or European countries within the top 30 and only one country, Afghanistan, from Asia.

Beijing, Chengdu and Guangzhou cultivate the most malware samples

There is big differences between different cities in China in malware counts. Beijing, Chengdu and Guangzhou, and Shanghai lead the pack in having the most malware in their citizens’ mobile devices.

There are no boundaries inside a country’s internet, which is divided by different languages and cultures. It is hard to say these cities are more dangerous, and the reasons behind the virus number maybe because there are some common behaviors between their citizen, which means a typical group of users and people, and developers should pay attention to.

Trustlook’s mission is to defend every mobile device and everyone’s cybersecurity.

PolySwarm Marketplace Partners With Trustlook to Offer New Zero-Day Protection Services

San Jose, Calif., Nov. 28, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced the partnership with decentralized threat intelligence marketplace PolySwarm.  Trustlook will provide additional security services to Polyswarm’s platform, which will strengthen their ability to detect and prevent zero-day attacks.

Polyswarm is a decentralized security marketplace which provides tools and services that experts use to tailor make anti-malware engines. PolySwarm incentivizes a global community of information security experts to disrupt the $8.5 billion cyber threat intelligence industry, providing enterprises and consumers with unprecedented speed and accuracy in threat detection. 

Trustlook is the global leader in next-generation cybersecurity products which focus on advanced zero-day prevention. Over the years, Trustlook has been the partner of first tier enterprises like Huawei, Amazon and Qualcomm. Their AI-based mobile security engine boasts a malware detection rate of over 98.0 percent. 

“As malware attacks are ever-growing, PolySwarm’s decentralized platform demonstrates a new way to protect the internet,” CEO of Trustlook Allan Zhang said, “Trustlook is happy to support PolySwarm’s growth with our advanced capabilities in zero-day attack detection and protection.”

By joining the PolySwarm platform, Trustlook will be able to train AI models using the most up-to-date attack behavior, further enhancing their already formidable performance. On the other hand, PolySwarm will gain the capabilities and expertise of a reputable and battle-proven vendor like Trustlook.

“We are very excited to have Trustlook join the growing network of PolySwarm’s micro-engines,” said Steve Bassi, PolySwarm CEO. “With a continuous stream of high-powered security engines joining the PolySwarm network, our ability to combat threats and ensure enterprises are properly fortified against evolving malware keeps getting stronger.”

About Trustlook
Trustlook was founded in 2013 with the goal of providing security solutions that go beyond the existing tools available today by detecting and addressing zero-day vulnerabilities and advanced malware. Their innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances and the IoT. The company is managed by leading security experts from Palo Alto Networks, FireEye, Google and Yahoo.

About PolySwarm
PolySwarm is the first decentralized marketplace allowing security experts to build anti-malware engines that compete to protect consumers. Providing enterprises and consumers with unprecedented speed and accuracy in threat detection. The PolySwarm market runs on Nectar (NCT), an ERC20-compatible utility token. For more information, please visit

Trustlook Announces New Security Solution For Zero-Day Attacks

San Jose, Calif., Nov. 12, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced the release of Revere, a new kernel-level security solution which provides efficient and reliable security protection for Internet of Things (IoT) devices.

Today’s IoT devices like smart door locks, webcams, smart speakers, drones, and cars, which run on Linux or Android operating systems, are vulnerable to zero-day attacks, enabling hackers to simply access users’ privacy and life safety.

Current evidence shows that the number of IoT device attacks is overgrowing. According to the Kaspersky Lab IoT report, the number of malware detection for IoT devices in the first half of 2018 was more than triple the amount of IoT malware seen in the whole of 2017, and in 2017 there were ten times more than in 2016. A recent F5 Networks report suggests that IoT devices have become the number one attack target on the Internet, surpassing the total amount of attack to web and application servers, email servers, and databases.

The most reliable security solutions are built into the operating system. “Trustlook has discovered in practice that putting the security module in the kernel is faster and more responsive than not using kernel. It is difficult to hide things from the kernel,” said Trustlook CEO Allan Zhang.

The new Revere solution can protect the system from the foundational layer: When a program makes a system call to the kernel, the Revere module can collect the behavior data of the program. Based on newly input data, a built-in AI model, which has been well trained on a large amount of training data samples, will make accurate predictions of various types of abnormal behaviors, such as privilege escalations, malware downloads, DOS/DDOS network attacks, brute-force password cracking, system file tampering, and privacy data theft, thereby preventing various types of zero-day attacks.

Key benefits of the new Revere solution include:

  • Secure and fast: Revere is more secure and response faster than traditional security engine, especially for time-sensitive applications, such as smart speakers that contain sensitive data or cars that involve personal safety.
  • Compatible: Revere applies to most Linux-based IoT devices as its security examination will be finished in kernel.
  • Intelligent: Trustlook Security Lab collects all types of IoT device attack behavior data to train AI models and upgrade remotely to maintain its predictive protection against the latest attacks. Revere’s zero-day attack detection and prevention is beyond the capability of most traditional signature-based security engines.
  • Efficient: Revere’s on-device detection model consumes a relatively small amount of resources and delivers stable performance. For example, on an IP camera running embedded Linux, Revere consumes less than 1% of CPU capacity in standby mode, less than 3% during most active operations, and occupies at most 5MB of memory.

Trustlook currently provides an SDK-based solution for Revere, while developing a cloud service platform, which allows vendors to monitor the system security in real time. In the future, Trustlook will provide customers with a full-stack IoT security solution from devices to the cloud.

About Trustlook:

Trustlook is the global leader in next-generation cybersecurity products based on artificial intelligence. The company’s innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances, and IoT. For many years, Trustlook has served Huawei, Amazon, Qualcomm and other leading hardware and software vendors.

Find out more at:

Black Hat 2018 is a Wrap!

Black Hat Las Vegas seems to get bigger and better every year. This year was no different. Trustlook was thrilled to be a part of the show, and would like to say thanks to all those who stopped by our booth at Innovation City. There were some great conversations and a lot of shared learnings on the future of cybersecurity for IoT devices.


Black Hat was also an opportunity for Trustlook to announce our latest product, SECUREai Core Detect. This product allows IT administrators to quickly see what IoT devices are on their network. In addition, sophisticated algorithms continually analyze communication to and from every device, instantly identifying anomalies and suspicious network behavior.

To learn more about SECUREai Core Detect, please click here. You can also contact to schedule a demo.

Bangle Android App Packer: Unpacking & Analysis

Trustlook Labs has identified a malicious app which is most likely using social engineering attacks to trick users to install it. The app (MD5: eb9d394c1277372f01e36168a8587016) is packed by Bangle packer. The main activity triggering installation of the app is “com.goplaycn.googleinstall.activity.SplashActivity.” However, that activity is not found anywhere in the decompiled code:


A closer look at what is happening in the code
From class SecAppWrapper, there is a “System.loadLibrary” call to load “secShell.” The native layer code in the module is responsible for decrypting and loading the app’s primary payload from “assets\secData0.jar,” which is a zipped DEX file after it’s decrypted.



Most method names in the “secShell” module are obfuscated, and their strings are decrypted when in use.


The app detects most hooking and patching frameworks, such as Xposed. Xposed is a framework for manipulating Android applications’ flow at runtime.



The app forks a child process and calls “ptrace” to attach to the parent to prevent any attaching attempts by debuggers. The multiple processes trace one another to make sure the children stay alive.




The app also monitors values in the /proc files system to check the status of the process.


The JNI_OnLoad function in the “secShell” module has switch branches. One branch is responsible for anti-debugging, the other (located at 0x7543EAE4 below) will lead to the main DEX module for decrypting.


The following is the decrypting function:



After the anti-debugging is bypassed, the function “p34D946B85C4E13BE6E95110517F61C41” decrypts the data. Register R0 contains the file location, as identified by the header bytes “PK\x03\x04.” R1 stores the size of the file.



We can dump the memory:


After unzipping the file, we get the DEX file which can be viewed normally:


Android packers are valuable tools used to protect the intellectual property of legitimate mobile application developers. However, they can be also used for nefarious purposes, and make analyzing malicious apps more difficult. Trustlook Labs continues to work on identifying malicious applications to protect our customers and the mobile ecosystem.


How to Stop Snooping Android Apps

Are you worried Android apps are secretly recording what you say or what you do? A new study from computer science researchers at Northeastern University suggests you may have good reason to be afraid.

The study analyzed 17,260 Android apps from the Google Play store, as well as third-party marketplaces AppChina, and Anzhi. The research team found evidence of “several” Android apps spying on users by recording video and images of users’ screens. The study was published last week in a research paper titled “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications.”

The Northeastern University team cited several examples of popular apps that engaged in unauthorized recording of users’ screens, including GoPuff, a food delivery app. The researchers discovered the app sent captured video via the Internet to a domain belonging to web analytics firm Appsee, and that the video recording could include personally identifiable information such as ZIP codes. The researchers said that Appsee’s software required no permissions to record the video and did not issue notifications to users.

Researchers warn that a lot of the risk comes mainly from these third-party libraries, such as Appsee’s, that often abuse the permission an app obtains from users. “Apps often display sensitive information, so this exposes users to stealthy, undisclosed monitoring by third parties,” researchers say.

Embedded Behavioral Security for Android Devices
The good news is that security within Android is getting better with every new release of the popular mobile operating system. In fact, the company previewed the security features of Android P, the newest version of the mobile OS, at the Google I/O conference in May. Android P will only grant access to device sensors such as microphones and cameras to apps in the foreground, preventing potentially harmful apps from running covertly in the background and using sensors to spy on users.

There are also third-party software tools, such as Trustlook’s SECUREai Sentinel 2.0, that provide next-generation privacy protection for Android powered devices. Sentinel 2.0 is a custom OS and SDK that offers real-time detection of malicious behaviors, as well as powerful privacy features for Android users.

Robust Settings
Sentinel 2.0 offers end users complete control over their privacy settings. Users can select which behavior categories to have monitored (such as their microphone or location), whether or not to screen System apps, and even the option to have no privacy protection at all.

Screenshot_20180601-113804         Screenshot_20180601-113741        Screenshot_20180601-113748

Alert Options
Sentinel 2.0 can be customized to deliver various types of notifications and alerts. For example, the message on the left below is a simple alert stating that audio is being recorded in the background. However, the message on the right adds functionality by giving the user 30 seconds to either approve or deny the behavior.

                  Basic Alert                                               Advanced Alert
2018-05-29_1740                Screenshot_20180601-110138

It’s clear from the research by the team at Northeastern University that there is no slowing the rise of sneaky malicious apps and surreptitious attacks. With so many more connected devices than just a few years ago, the problem will only get worse. Add in the financial benefits of ransomware, and the possible state-sponsored chaos that can be caused with DDOS attacks, and the situation becomes that much more important to control.

Fortunately the tools to combat these attacks are also improving, and give Android users confidence when storing personal information and making sensitive transactions on their Android devices.



Trustlook introduces Sentinel 2.0!

Trustlook is pleased to announce SECUREai Sentinel 2.0, a next-generation security engine that provides privacy protection for Android powered devices. This latest release is the culmination of more than two years of engineering and testing, and encompasses a product with the highest performance and lowest device impact possible.

For Device Makers and End Users
SECUREai Sentinel 2.0 offers powerful privacy features for both Android device makers and end users. Some features include:

  • Real-time detection of malicious behaviors
  • For end users, the ability to know who or what is accessing their privacy information, and a way to deny or approve access
  • For device makers, a premium security feature and quick way for end-users to identify privacy problems, helping device makers comply with GDPR
  • 16 detection points, including detection of the following malicious phone behaviors:
    • Sending SMS when screen is locked
    • Recording audio when screen is locked
    • Accessing device contacts/phone numbers in the background
  • Multi-category privacy coverage for Contacts / SMS / Call Logs / Camera / Microphone / Location / Screen / Telephone Number / Device Account / IP Address / Calendar / Cookies / Clipboard / RFID
  • Based on the latest Android version: 8.1
  • Small 0.2% average performance impact
  • Privacy access logs and analysis reports to identify data leaks
  • Quick implementation and rapid deployment

Alert Options
SECUREai Sentinel 2.0 can be customized to deliver various types of notifications and alerts. For example, the message on the left below is a simple alert stating that audio is being recorded in the background. However, the message on the right adds functionality by giving the user 30 seconds to either approve or deny the behavior.

                  Basic Alert                                               Advanced Alert
2018-05-29_1740                Screenshot_20180601-110138

Below is an Advanced Alert that gives the user 30 seconds to approve or deny the sending of an SMS message.

Robust Settings
SECUREai Sentinel 2.0 offers end users complete control over their privacy settings. Users can select which behavior categories to have monitored (such as their microphone or location), whether or not to screen System apps, and even the option to have no privacy protection at all.

Screenshot_20180601-113804         Screenshot_20180601-113741        Screenshot_20180601-113748

Need Help with GDPR (General Data Protection Regulation)?
GDPR is everywhere these days. Companies are racing to comply with the new law that went into effect on May 25, 2018. At its core, GDPR is a new set of rules designed to give EU citizens more control over their personal data.

Under the terms of GDPR, not only will organizations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.

SECUREai Sentinel 2.0 can help Android device makers comply with GDPR. How? One of the major changes GDPR will bring is providing consumers with a right to know when their data has been leaked or hacked. SECUREai Sentinel 2.0 displays which apps on a device have access to personal information. For instance, a user might have 10 apps on his or her phone. Seven of the 10 apps, such as banking or payment apps, might have access to personal information. Therefore, device makers will be providing more transparency into how a user’s data is accessed, and, in the event of a breach, a user can quickly understand if their data might be exposed.

SECUREai Sentinel 2.0 is implemented via a custom ROM and an SDK. The diagram below shows how the SDK interacts with the custom ROM and the Trustlook Cloud Service.


The information that is collected from SECUREai Sentinel 2.0 is displayed on a custom dashboard. The dashboard provides real-time information of the behaviors detected, the riskiest apps, and much more.

Below is a running log of behaviors that have been detected by SECUREai Sentinel 2.0.

Below is a list of the riskiest apps, as detected by SECUREai Sentinel 2.0.

SECUREai Sentinel 2.0 is a game changer for privacy protection on the Android platform. Device makers and end users both benefit from the vast features and capabilities of the platform. To learn more about SECUREai Sentinel 2.0, or to schedule a demo, please contact