New Trustlook Insights Report From Trustlook Research

Trustlook has recently conducted a survey report among 500 Android users about different insights for the security industry. “The survey, conducted by Trustlook Research, produced some rather interesting findings about smartphone user behavior,” said Joe Sullivan, head of marketing at Trustlook. “We were surprised to see so many users entering sensitive information into their devices, which could give hackers potential access to social security numbers, bank account information and other personal data.”

 

The Trustlook Insights survey was designed to learn more about mobile device users and to uncover industry trends. Findings include:

  1. Users are more willing than ever to input sensitive information, including their social security number on a mobile device.
  2. Although over two-thirds report using mobile devices for banking, fewer than a quarter use them for managing investments.
  3. BYOD continues to gain momentum in organizations, with eight out of ten respondents using their mobile devices for work.
  4. Eighty-five percent of respondents have more than ten apps on their mobile device, potentially increasing the attack surface.

For the full report, please visit:
http://www.trustlook.com/static/research/Trustlook_Insights_Report_Q3_2016.pdf

Infographic for this report:
http://www.trustlook.com/static/research/Trustlook_Insights_Infographic_Q3_2016.jpg

Top 10 Most Widespread Mobile App Viruses (6/19/2016 – 6/25/2016)

The following table contains the top 10 most widespread mobile app viruses discovered by Trustlook Mobile Security for the week of June
19, 2016 thru June 25, 2016.

Virus Name # of Mobile Apps Containing the Virus
Android.Trojan.Sendbox 108,060
Android.Trojan.Obad 28,949
Android.Malware.Downloader 5721
Android.Trojan.Ghostpush 5657
Android.Malware.Fakegupdt 4321
Android.Trojan.Hideicon 4154
Android.Trojan.Regdev 4060
Android.Trojan.Slocker 2816
Android.Trojan.Ztorg 2331
Android.Trojan.Triada 2188

Make sure you are always protected from mobile malware and viruses by downloading the Trustlook Mobile Security app.

Even Superman Couldn’t Save This Actress from Identity Theft

   Even the rich and famous aren’t immune to identity theft. The U.S federal government has been cracking down on crime rings of hackers. Many of these crime rings are based in Georgia and Virginia, where there are sophisticated operations involving criminals stealing innocent victims’ identities. Using these stolen identities, the crime rings then create large shell companies. These shell companies are used as entities to funnel and launder money, sometimes out of a country right into a jailbird’s bank account.

   Structured under the umbrella “The Deutche Group”, onering allegedly involved co-conspirers from all over the globe. With home bases in Thailand, Great Britain, and India, the search for victims is extensive. The crime rings will do anything it takes in order to obtain the information they need, even creating entire fake online companies that promote airfare deals or hotel discounts. Victims of these scams are left nearly helpless, often stranded in airports and foreign countries with their credit card information stolen. The nature of fraud can be so sudden, with victims at the airport ready to go, only to learn that their tickets are fake and their credit cards already maxed out. The crime rings will create fake passports and other fake documentation using these identities.

One crime ring even targeted a popular television actress, Laura Vandervoort. The criminals used a television screenshot of the actress while on the popular T.V. show “V” as a passport photo to verify their identification for visa purposes. An FBI agent who was a fan of the show “Smallville” immediately recognized the actress and the FBI was able to pinpoint a timeframe for the creation of all the fake documents.

This illicit crime group has graduated beyond identity theft for fake documents. There have been entire banks created in India so that the hackers are able to fund their own deceitful dealings. One of the co-conspirators attempted to launder his illegal money by buying jewels with stolen credit cards. Another opened an IT learning center that supported IT training and also served as a front for his illicit activities. A former employee of American Express has even moved to India in order to escape prosecution.

   To check if you have been a victim of identity theft or fraudulent crime, use the Trustlook app today. With the ID Check feature, Trustlook can give you real-time identity tracking and alert you if anyone attempts to hack into your payment apps or banking information. Use Trustlook today for a safer tomorrow.    

Top 10 Most Widespread Mobile App Viruses (6/12/2016 – 6/18/2016)

The following table contains the top 10 most widespread mobile app viruses discovered by Trustlook Mobile Security for the week of June 12, 2016 thru June 18, 2016.

Virus Name # of Mobile Apps Containing the Virus
Android.Trojan.Kemoge 7086
Android.Malware.Downloader 5459
Android.Trojan.Ghostpush 4019
Android.Trojan.Hideicon 3750
Android.Malware.Fakegupdt 3141
Android.Trojan.Slocker 2811
Android.Trojan.Regdev 2406
Android.Trojan.Downloader 2045
Spr.Android.Secapk.C.Gen 1959
Android.Malware.Danpay 1533

Make sure you are always protected from mobile malware and viruses by downloading the Trustlook Mobile Security app.

Banking Trojan targets clients of Russian financial institutions

— Trustlook Research Team

Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. Banking Trojans are specifically designed to steal a user’s online banking credentials. The research banking trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: d6d2427df4c03a7cc61c97b4eebdd655
  • SHA256: 1974c82877a3abdffa6f9246138a3819c2c543a9c904a753bea3663bd21d9239
  • Size: 577590 bytes
  • App name: 2ГИС (Russian)
  • Package name: ru.drink.lime

The package icon is:

Screen Shot 2016-06-17 at 11.22.11 AM

The app targets clients of Russian financial institutions, as such banking clients. The malware earmarks potential clients by using text written in the Russian language to create a false sense of security. The malware has the ability to receive commands that will send and intercept SMS messages. Using the account information and password, a hacker is able to validate a money transfer via SMS messaging commonly popular in Russia.

The app forces the user to grant the device admin to maintain the persistence on the system:

Screen Shot 2016-06-17 at 11.25.28 AM

If the user denies the device access or permission, the app enters a loop and keeps popping up the Activating admin window. The follow code snippets are used to perform the actions:

Screen Shot 2016-06-16 at 9.59.45 AM

After installation, the app removes its own  icon to hide from the user.

The app communicates with a remote server and sends out some personal information:

Screen Shot 2016-06-17 at 11.27.07 AM

The following code snippets demonstrate the above behaviours:

Screen Shot 2016-06-16 at 10.00.47 AM

The app checks for if the following packages are installed:

  • ru.sberbankmobile
  • com.android.vending
  • com.idamob.tinkoff.android
  • ru.vtb24.mobilebanking.android
  • ru.alfabank.mobile.android
  • ru.raiffeisennews

It then checks for if one of the above apps is running and starts service accordingly, to copy content found in forms used by legitimate financial institutions in their client apps.

Screen Shot 2016-06-17 at 11.28.20 AM

 

Screen Shot 2016-06-17 at 11.29.04 AM

The following is code snippets sample used by the malware to show the interface for “ru.sberbankmobile” banking app:

Screen Shot 2016-06-16 at 10.01.43 AM Screen Shot 2016-06-16 at 10.02.14 AM

The malware creates a SQL database to store the collected information, the table in the database has the following structure:

  • client_id integer
  • client_password TEXT
  • need_admin integer
  • need_card integer
  • first_bank integer
  • need_sber integer
  • need_tinkoff integer
  • need_vtb integer
  • need_alpha integer
  • need_raiff integer
  • server TEXT
  • filter TEXT
  • exist_bank_app integer

The malware is capable of communicating with the remote server to receive commands that will send/receive SMS message, the attacker can use this to do mobile fund transfers once they acquire the user’s banking credentials. The malware intercepts SMS messages and can abort the broadcast of the message so no new message delivery notifications are shown to the end user.

Screen Shot 2016-06-16 at 10.02.58 AM

This malware uses some instruction strings to communicate with a remote server, the strings are shown below:

  • taskUsssd
  • taskSms
  • deliverySms
  • okSmsSend
  • errorSmsSend

Mobile App Collusion on the Rise

Every day, more and more low skilled criminals and cyber hackers are aiming for innovative ways to crack into your personal device. Beyond the traditional methods, such as fake emails or deploying viruses in websites, hackers are starting to make more bold moves in the name of illicit cyber-attacks.

The newest trend for malicious attacks, called mobile app collusion, has been hiding in plain sight on personal devices. This method involves a cybercriminal deploying two or more apps to a device. One app serves as the entry point into a person’s private information, using permissions and access granted by a user. The first app is initially trusted by the user and allowed to access different information on the personal device. Vital data such as location, bill information, payment apps, social security numbers, photo albums, and email accounts are most commonly accessible areas for the first app. The second app serves as a getaway car, which funnels the information collected by the first app onto a safe point where the information is then gathered by the criminal group. These criminals use the malicious apps to hide in plain sight of a user and creates a facade of a safety net.

Some of the apps used within this new method of mobile app collusion are being done so without the knowledge of the app developers or the operating systems. Many apps are also victims themselves in the war against malware. Cybercriminals tend to target apps that have not been updated to the latest version and use this as an opportune window into a personal device. Since the app has not been updated with latest security updates, hackers can deduce that users trust the app enough to leave the app on their phone with little attention or notice. Perfect for hiding in plain sight.

Apps that deal directly with sensitive or financial information, such as banking apps, are the most highly prized for these cyber criminals. The most commonly targeted apps for mobile app collusion are usually utility applications that tend to have fewer updates. Health monitoring, bill payment, and video streaming applications are all vulnerable to being hijacked by an outside hacker. With mobile malware on the rise and increases quarter after quarter of new malware in the tech field, being aware of the enemy is the first line of defense.

Update: Android Ransomwares, The Escalated Battle

— Trustlook Research Team

Malware packages are designed to download and execute files without user’s consent. In order to reduce the amount of data necessary for the download, the developer keeps the item a minimal size. Most developed malware have constrained operating systems and can only download specific files. The research package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: 5229453ADF4EA45C3D8AED4CBE38563E
  • SHA256: 809e5a2def3540e2fe204f39fc32600b2672b3de41d829432edc6f5a46f0ccd0
  • Size: 57943 bytes
  • App name: Flash Player Update
  • Package name: com.googleservice.play.critical

The package icon is:

Screen Shot 2016-06-13 at 11.54.25 AM

Compared to the normal app, this app can accept various remote instructions from the attacker to download malicious apps or components.

In VirusTotal among 57 antivirus vendors, only 3 vendors detected them when initially submitted.

Screen Shot 2016-06-13 at 11.54.39 AM

The app appears to be written in a way to trick users into believe it is a legitimate app. After installation, the app removes its icon to hide itself from the user.

Screen Shot 2016-06-13 at 11.55.00 AM

 

The app communicates with a remote server and sends out some personal information:

Screen Shot 2016-06-13 at 11.55.17 AM

The following code snippets demonstrate the above behaviors:

Screen Shot 2016-06-13 at 11.55.33 AM

Furthermore, the malware creates a SQL database to maintain the received tasks from from the C&C server. These methods include:

  • getNext  // get next task
  • getTaskByPackage  // get task by package id
  • updateTryCount  // update count
  • insert  // insert task
  • remove // remove task

The malware checks for if the phone is rooted by searching for “su” file and downloads/installs apk accordingly.

Screen Shot 2016-06-13 at 11.55.50 AM

If an HTML file is received, the malware will show the web page instead of install the file:

Screen Shot 2016-06-13 at 11.56.02 AM

As seen in the HOST string in the captured traffic shown earlier, the malware most likely targets the Russian smartphone users. The following code snippets also demonstrate the malware checks for the country code:

Screen Shot 2016-06-13 at 11.56.13 AM

The IP of the C&C server “loaddik.ru” is located in Ukraine and was registered on 2016-05-10:

http://whois.domaintools.com/loadik.ru

Screen Shot 2016-06-13 at 11.56.23 AM