Meet The Interns: Jin

Here at Trustlook, our team is small and close. We love working together and even more, we love to have fun together. Every Friday on the Trustlook blog, we will have features on our passionate team members. Our special summer edition will feature our newest interns! Each intern brings something special to the table and enhances the Trustlook experience.


 

Jin, First Year Masters Student at NYU for Computer Science and Engineering Intern

  1.       What got you interested in mobile security?

I began programming as an undergrad while studying abroad. It is my true calling because the intricacies of coding are fascinating to me. Security is a big issue within the tech industry and it was a natural progression for me. There is a readily available app that I discovered in my undergrad years that enables criminal activity via an open source Wi-Fi. Through a public Wi-Fi network a hacker is able to obtain information such as passwords and credit card information remotely. The app is based in the West, where the market for innovative technology is thriving every day. This worries me as there are so many benefits and users with possible unknown vulnerabilities, but I hope to provide key protection and security with different developments and stopgaps.

 

  1.       What do you feel is the biggest threat to consumers?

While pursuing my undergrad, I noticed the frequency in which people will turn to third party apps. Often times in rural areas or countries with various censorship laws, popular apps can be hard to obtain.  People will begin to turn to underground app markets or more illicit ways to obtain the hottest new game.  Through different methods, many cybercriminals are able to personally email consumers, posing as a legitimate company or LLC.  These personalized emails will have customized bait and switches in order to lure potential victims to click on links that create an open portal to a personal computer or phone. The malicious APKs are very difficult to detect within any operating system, even with a trustworthy scan, because malware are programmed to evade detection.

Wi-Fi security is also a looming threat to enterprises and consumers. Companies and users can be hacked by criminals over Wi-Fi and all their data can be drained in an instant. All your apps can be from secure and reliable sources but over Wi-Fi, anything can go. Two types of Wi-Fi crime can happen. One type is a form of public Wi-Fi, such as a public connection provided by a library or business. This open public connection serves as the perfect portal into another’s device because it is difficult to detect any malicious viruses on these open connections and there seems to be generally very little monitoring on these open air connections as well. The second way to use a Wi-Fi connection is a fake Wi-Fi connection. A hacker will choose to name an open Wi-Fi network something that feels secure or trustworthy, such as setting up an open connection near a city building. By naming that Wi-Fi after a public building or business, many consumers will believe it is operating as a safe network for the public when it’s truly a hacker hoping to hit pay dirt.

 

  1.       What is your Summer Project at Trustlook?

I am currently building a static fly engine that will hopefully use machine learning to identify malware. First it must be trained onto our Trustlook servers and then it will be implemented onto our app for our users. It should eventually be able to detect malware and viruses offline and save our users cellular data usage on their personal devices.

 

  1.       Do you know anyone whow has had their data or identity stolen?

Yes, of course. Even with just legal businesses and companies. Private information such as location and billing information are accessible in many different apps and personal device platforms. Many different apps are locking onto this information because it helps their business. Tracking GPS and location for a user helps to enable better ads or commerce, such as having a promotion pop up as one drives by a coffee shop or receiving an email containing a coupon for a store that one regularly drives by.  Encryption is also very common on phones and computers, but it’s very easy to break. Some websites just show passwords and private information as plain text and not as encryption. There are many small details within tech security that can prove to be bigger problems in the future.

 

  1.       What next steps do you hope to take in your career?

Mobile security is my big passion so I hope to pursue that after I complete my master’s. I enjoy the company mission at Trustlook because the goals here are to help mobile users. The best offense is a good defense. Building apps that aid in ransomware detection is the best kind of defense for mobile security as ransomware can prove to be costly. Wi-Fi protection is also something that we can provide a good defense for and hopefully educating consumers on nternet security can help raise awareness on what is safe and what is dangerous.

Trojan Attempts to Replace System Launcher and Collects Confidential Information

A malicious app was detected by Trustlook as “Android.Trojan.Ihide”, disguised itself as a system program and stole a  user’s information. The research Trojan package can be identified as having the following characteristics:

  • MD5: A7C61401D00DD6398B549F4625BD58ED
  • SHA256: 3AD322E600D72659C8F4182439C18DAAAEC2045716984B9D1F79FB1641773098
  • Size: 1090390 bytes
  • App name: AndroidService
  • Package name: com.android.adapi

The package icon is:

Screen Shot 2016-07-25 at 2.52.10 PM

Upon the execution, the app opens the Accessibility setting window to trick users into believe it is a legitimate system app:

Screen Shot 2016-07-25 at 2.52.16 PM

The app forces the user to grant the device admin to maintain the persistence on the system:

Screen Shot 2016-07-25 at 2.52.36 PM

The app attempts to replace the system launcher:

Screen Shot 2016-07-25 at 2.52.44 PM

The malicious app sends SMS message out continuously:

Screen Shot 2016-07-25 at 2.53.26 PM

The app contacts “baidu.com” to obtain the current location information:

Screen Shot 2016-07-25 at 2.53.35 PM

The following code snippets demonstrate how the malware constructs and sends the above request:

Screen Shot 2016-07-25 at 2.35.54 PM

The malware attempts to collect the following information:

  • SMS message:

 Screen Shot 2016-07-25 at 2.37.04 PM

  • Contact information:

Screen Shot 2016-07-25 at 2.37.54 PM

  • Call log and recording:

Screen Shot 2016-07-25 at 2.38.38 PM

  • Camera capture:

     Screen Shot 2016-07-25 at 2.39.38 PM

  • Location information:

Screen Shot 2016-07-25 at 2.40.26 PM

  • Wifi password file:

Screen Shot 2016-07-25 at 2.41.34 PM

  • Screen capture:

          Screen Shot 2016-07-25 at 2.42.20 PM

  • Browser history

  Screen Shot 2016-07-25 at 2.43.07 PM

Furthermore, the app is capable of:

  • sending SMS message:

Screen Shot 2016-07-25 at 2.43.45 PM

  • Terminating process:

Screen Shot 2016-07-25 at 2.44.24 PM

  • Downloading and installing APKs:

Screen Shot 2016-07-25 at 2.45.01 PM

The malware most likely targets Android users in China, since the simplified Chinese language and Baidu location service are used in the code.

8 Facts You Have to Know for the Safest Pokemon Hunt

It’s capturing the world by storm. People are leaving their homes in droves and abandoning their normal lives in an attempt to catch them all. It is a Pokémon renaissance happening in 2016.  In the early hours of the morning and the wee hours of the night, mass droves of people are heading to parks and lakes. Poke stops, the designated landmarks designed to help Poke Masters refill on poke balls and other essentials, are frequented by the young and the old. With seemingly entire countries obsessed with the game, many security experts are concerned with the permissions and information accessed by the game. In addition, there are real-world dangers in playing the game. Here are the top 8 things you need to know about Pokemon Go in order to stay safe.


 

1)      Accessing your Google Account:

When first signing up for the popular game, a user has the option to sign up using their Google account or through a special Pokémon Trainers club. Simply for convenience’s sake, many people opt out for the Google account registration. This just requires the user to enter their Google account login, such as an email, and a password for their Google accounts. The issue with this is that the app then has unrestricted access to all forms of a user’s Google account. The user is required to give access to the app so that the game may be played, but a user is not alerted to what the app can access, which is why it is aptly named “Full Account Access”. This proves to be problematic as the app could theoretically access photo libraries and billing information.

2)      Camera Usage:

The app’s prized feature is an AR option that brings the Pokémon to life. In order to activate the augmented reality feature, a player must allow the app to access the personal device’s camera. The AR feature on the app is a huge draw for the players in the game, as it feels similar to reality. Using the AR feature, however, requires camera permission, which is another portal for possible data leakage. People take photos with the Pokémon but in turn end up capturing street addresses, car licenses plates, possible credit card information, and many other details.

3)      GPS Tracking: Location Location Location.

Pokémon Go is an app that utilizes a user’s GPS location and camera to support its gameplay. These two permissions, however, prove to be problematic when it comes to mobile security.  The game uses GPS to track where a player is and spawn the rare Pokémon when many players are clustered together. This proves to be a high security threat because a hacker can pinpoint a player’s precise whereabouts.

4)      Not watching where you’re going:

It’s been reported previously that people are having accidents left and right from obsessive game play. From players abandoning their cars in search of the most rare Pokémon to players falling off cliffs looking for an elusive Charmander, people are putting their safety as a secondary priority to the Hitmonchan hunt.

5)      Armed robbery      

Hackers aren’t the only criminals after the players in Pokemon Go. Robberies are happening all over because of the level of game play. These low life criminals drop lures on poke stops around different cities, meant to draw more Pokemon to the poke stop. Since these lures are public and visible within the app, many players will stop by these locations hoping to use these communal lures for their own Jigglypuff hunts. This helps round up potential victims and their valuable possessions into one common area, making for an easy trap.

6)      Downloading a third party app:

Previously, the Pokemon Go app was only available in selected countries and areas. With the craze going so strong in the United States, countries like England and Canada were feeling major FOMO. Many users turned to third party apps to obtain the game to play and join in the worldwide obsession. This is a steep slope to walk down, however. Many third party apps contain malware or phishing software. Added alongside the massive amount of permissions required to play the Pokemon App, this makes it a huge security threat.

7)     Fake Apps:

A new group of dangerous applications targeting Pokémon Go users by promising cheats, tips, and other functionality. Despite their innocuous-sounding titles, the apps actually contained malicious code that either tricked users into paying for expensive bogus services or took over victims’ phones to click porn ads, among other things.

8)      Trustlook:

To ensure your safety and privacy, researchers cannot recommend enough using a security application. Using an antivirus app that deeply scans and alerts you of any data breaches is vital during this kind of social frenzy. Trustlook can protect every player from all the threats of Pokemon Go and any other threat in the market. With ID Check, Boost, SD Card Scan, Backup and Restore, and many other features, Trustlook can make sure you stay safe while in hot pursuit of Pikachu.  Download the Trustlook app here on the Google Play store today.

Meet The Interns: Mike

Here at Trustlook, our team is small and close. We love working together and even more, we love to have fun together. Every Friday on the Trustlook blog, we will have features on our passionate team members. Our special summer edition will feature our newest interns! Each intern brings something special to the table and enhances the Trustlook experience.


Mike, Engineering Intern

What interested you in mobile security?

Security is awesome because while it might not be a hot button topic, it’s vital for almost all companies and consumers. Big or small, security will always be a pillar in the internet community.  Many consumers unknowingly download viruses or malware and are forced to wipe their devices. This rings especially true for the Android community because the structure of the platform lends itself well to a variety of apps and customization, but in turn has different issues in security.

What is your summer project about for the Trustlook Team?

I am developing a monitor for the team that uses a MySQL database. The monitor keeps track of running EC2 instances and compares their names to a list of all names that should be running. Running instances are a bulk of cost for many security companies and many times, a person can open an instance and simply forget to close it, causing for extra unneeded cost. It will run every two hours and send an email to our backend team about progress. The server also has other neat features like showing what names are not running, what instance names are not recorded, how long every instance has been running etc, thus allowing the backend team to better manage what they opened and what they need to close.

This will help keep the Trustlook database clear and running efficiently.

Biggest threats to consumers?

Leaked personal information is becoming a larger issue. Popular apps, such as Pokemon Go, request access and permission to one’s Google account or location. Most consumers just get excited to play a new app or toy with a new feature and rush to allow the apps full permission onto their device.

What is one thing that is unknown to the general public about security?

The power struggle between security and hackers.  Staying constant with security measures and having hackers outside your front door makes for an intense dynamic. It’s a game of cat and mouse, honestly.

Do you know anyone that has had their data or identity stolen?

Yes, quite a few people actually. The biggest risks are truly not knowing whether you’ve been a victim or not. By regularly cleaning your phone and being on alert, you can prevent so many data breaches and preserve your privacy.

Trojan Disguised as Legitimate App to Steal Information

Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. A Trojan may steal information and cause the software system to become unreliable. The Research Trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: e62b8857bf396bff59e030c09e3a3fad
  • SHA256: 0d225fbebcd18a398849b9bc8196838219545d356b26793ca25e89587c0b239e
  • Size: 276394 bytes
  • App name: Google Update Manager
  • Package name: net.androidrc

The package icon is:

Screen Shot 2016-07-06 at 5.40.15 PM

The app runs itself as a “remote device connector” to disguise itself as a legitimate app:

Screen Shot 2016-07-06 at 5.40.27 PM

 

 

 

 

 

 

 

 

 

 

 

 

 

Once the user enters account credentials, it sends out the information to the C&C server:

Screen Shot 2016-07-06 at 5.40.48 PM

The following code snippets demonstrate how the malware constructs and sends the above request:  

Screen Shot 2016-07-06 at 5.33.05 PM

The malware attempts to collect the following information:

  • SMS message including sender name and text:

      Screen Shot 2016-07-06 at 5.33.44 PM

  • GPS coordinates:

          Screen Shot 2016-07-06 at 5.34.17 PM

  • Call log and recording:

    Screen Shot 2016-07-06 at 5.34.42 PM

  • Phone front and back camera capture:

Screen Shot 2016-07-06 at 5.35.07 PM

 

  • Screen capture:

 Screen Shot 2016-07-06 at 5.50.33 PM

  • Browser history

Screen Shot 2016-07-06 at 5.35.35 PM

Moreover, the app is capable of changing system settings shown below:

  • BROWSER_HISTORY_ENABLED
  • CAPTURE_PHOTO
  • CAPTURE_PHOTO_FORMAT
  • FILES_ONLY_WIFI
  • FILTER_LIST
  • FILTER_TYPE
  • FILTER_USE
  • FRONT_CAMERA_ENABLED
  • GPS_HIDDEN
  • GPS_ONLY_NEW
  • NOTIFY_CALL
  • NOTIFY_NUMBER
  • NOTIFY_SIM_CHANGE
  • NOTIFY_SMS
  • ONLY_WIFI
  • RECORD_CALLS
  • RECORD_FORMAT
  • RECORD_SOURCE

 

The app creates a SQL database to store the collected information, the database contains the following tables:

RC_SMS:

  • _id INTEGER PRIMARY KEY
  • number TEXT
  • name TEXT
  • date INTEGER
  • type INTEGER
  • text TEXT
  • sms_sent INTEGER
  • lat REAL
  • lon REAL
  • sent INTEGER

 

RC_CALL:

  • _id INTEGER PRIMARY KEY
  • number TEXT
  • name TEXT
  • date INTEGER
  • type INTEGER
  • duration INTEGER
  • sms_sent INTEGER
  • lat REAL
  • lon REAL
  • sent INTEGER

RC_GPS:

  • _id INTEGER PRIMARY KEY
  • acc REAL
  • alt REAL
  • lat REAL
  • lon REAL
  • date INTEGER
  • battery INTEGER
  • provider TEXT
  • sent INTEGER

RC_BROWSER:

  • _id INTEGER PRIMARY KEY
  • date INTEGER
  • url TEXT
  • title TEXT
  • lat REAL
  • lon REAL
  • sent INTEGER

 

The malware is capable of communicating with the remote server to send stolen information by email or text message and can change system settings allows the attacker almost full control of the device.

Top 10 Most Widespread Mobile App Viruses (6/26/2016 – 7/2/2016)

The following table contains the top 10 most widespread mobile app viruses discovered by Trustlook Mobile Security for the week of June
26, 2016 thru July 2, 2016.

Virus Name # of Mobile Apps Containing the Virus
Android.Trojan.Sendbox 172,778
Android.Trojan.Obad 46150
Android.Malware.Downloader 4909
Android.Trojan.Triada 4899
Android.Malware.Fakegupdt 4567
Android.Trojan.Ztorg 4219
Android.Trojan.Hideicon 4090
Android.Trojan.Regdev 3528
Android.Trojan.Downloader 2901
Android.Trojan.Kemoge 2584

Make sure you are always protected from mobile malware and viruses by downloading the Trustlook Mobile Security app.