Top 5 Scariest Malware for Halloween

Happy Halloween! Trustlook has compiled a colorful Halloween Android malware infographic. Based on a study of 376,031 malware samples in the month of October, we have identified the Top 5 Scariest Malware families, and offer a close-up look of actual malicious apps. Here is what is in the infographic:

▪ Descriptions of the Top 5 Scariest Malware families
▪ Access to detailed reports (clickable) of 20 real malicious apps
▪ Tips to stay protected against malware

Click here to view to infographic.

 

 

Latest BYOD research is part of Trustlook Insights Q4 report

Trustlook has released its Q4 Trustlook Insights report which focuses on the latest trends and best practices in BYOD (Bring Your Own Device). BYOD is the practice of allowing employees to use personal devices at work. It gives employees freedom over where (and how) they work, and allows companies to spend less in operating expenses. Despite its rising popularity, many employers are still on the fence. If not fully understood and regulated, BYOD can threaten IT security and put a company’s sensitive business systems at risk.

This report is the result of a survey of 320 Trustlook Mobile Security users. Some findings validated existing beliefs, while others were truly fascinating in terms of how BYOD is treated and understood at organizations. Such as:

▪ Only 39% of companies have a formal BYOD policy
▪ 70% of employees use a personal device at work
▪ 86% of companies have no preferred mobile security app
▪ 51% of employees have received no training on BYOD

Feel free to download the survey report and infographic and explore the latest findings.

Top 10 Trending Malwares for October 7, 2016

SkyEye from Trustlook provides deep insights into mobile apps. The following 10 apps contain the most dangerous malware for the past week.

1.Android.Trojan.Kungfu
2.Android.Trojan.Vplayer
3.Android.Troj.Dialer
4.Android.Trojan.Fakeinst
5.Android.Trojan.Androrat
6.Android.Riskware.Guidead
7.Android.Trojan.Androrat
8.Android.Adware.Waps
9.Android.Adware.Startapp
10.Android.Riskware.Counterclank

See information on over 3 million apps on SkyEye.

How to Unpack Baidu Protect through Memory Dumping

Trustlook Mobile Security has researched an app (MD5: 67257EA2E9EC6B35C9E5245927980EEA) that is packed/encrypted by Baidu Protect, the service provided by Baidu. Users can upload their APKs to the developer portal in Baidu to get their apps hardened.

The app terminates itself when running on several versions of Android emulators.

It runs on a Moto G phone with Android version 4.4.3. The app has the following structure:

image02

The file “libbaiduprotect.so” under the lib/armeabi folder shows that the app is packed by Baidu Protect.

Some popular unpacking tools don’t seem to work on this app. ZjDroid, for example, which is installed as a module for the Xposed, causes the app to crash. DexExtractor also doesn’t generate any DEX files.

The app has implemented anti-debugging techniques. For example, the following code snippets prevent the debugger from attaching to the process:

image01

Most app packers use JNI native code to modify the Dalvik bytecode in the memory. The packers sometime unpack/decrypt the real DEX file in the memory, which is what gave us a chance to dump the memory.

Using the ADB connect to the phone, we ran the “ps” command, which gave the following result:

image04

The app has the process ID “28953”. We examined the region of the virtual memory in the process.

The first address field shows the starting and ending address of the region in the process’s memory space. The last field shows the name of the file mapped. We fired up “dd” command to dump the memory associated with the last file.

image06

The “dd” command accepts decimal values in the parameters. Here the value for the “skip” parameter is the beginning address of the memory and the “count” parameter takes the range of the beginning and ending value.

After the file is dumped, we pull the file and examine it:

image05

The file is an ODEX file which has the header stripped. After retrieving the magic code, we have the following file:

image08

Unpack the file:

image07
image11
image09

Observe the JAR file:

image10

Note the above method does not work for apps using multiple processes. The memory dumping tool searching for the DEX magic code won’t work on this type of app.

Video on How to Stay Safe from BadKernel Android Threat

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

Watch now!