“The Clickers” – Zombie Malware that feed on the mobile ecosystem

Authors: Tianfang Guo, Jinjian Zhai; Special Thanks: Steven Chen

Last week, Trustlook exposed the Facebook credential phishing malware “Cowboy Adventure”. In the article we pointed out that phishing is one kind of behavior that is difficult to detect via an automated technical approach. This may be one reason it sneaked by the Google Play Store’s  “Bouncer” automated security check.

In this article, we will highlight several examples of Zombie malware on Google Play we very recently uncovered. These are Called  – “The “Clickers”.They commit another stealthy kind of malicious behavior, that  will likely be overlooked by automated analysis solutions.

“Clicker” is a malware that affects a large part of the mobile ecosystem creating fraud for the vendors, spamming the networks and exploiting the resources of user the community. This form of malware launches requests through Advertizing links. “Clickers” generate costly, false user traffic for advertisers, while draining the user’s battery life and consuming their monthly data plan bandwidth allowances. Everyone loses when a “Clicker” is unleashed.


Screen Shot 2015-07-13 at 3.46.01 PM

Screen Shot 2015-07-13 at 3.46.10 PM


The latest malware we detected is called “Best: Dubsmash”. It has no actual functionality other than a confusing UI. Most users are likely to spend some time to figure out what it does. In the mean time, let’s see what is doing in the background:

Screen Shot 2015-07-13 at 3.47.28 PM


Communicate a C&C server. This server will serve the target URL that needs users to click.

According to our test, this URL will give different URLs each time you refresh it. Most of the URLs are porn sites.

Screen Shot 2015-07-13 at 3.48.05 PM

Our behavioral analysis shows the Zombie requests are generated by using invisible webview calls, in a continuous 20s time interval. There goes the user’s battery life and bandwidth. data plan. Also it will (or rather should) create events on a properly monitored corporate network. Just what your SecOps team needs, right? More Spam remediation.

Screen Shot 2015-07-13 at 3.48.45 PM


As of Jul 13 PST 2:40PM, this app, as well as 3 similar “clickers” are still alive on Google Play. We already reported this issue to our colleagues at Google Play and will look forward to timely remediation.

Screen Shot 2015-07-13 at 6.50.16 PM

Meet the Most Successful Malware on Google Play: Nearly 1M Users in 4 Months

Authors: Tianfang Guo, Jinjian Zhai

How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.

The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”.  After careful analysis our team found a devious and scary reason behind its user growth.

Screen Shot 2015-07-02 at 10.49.50 AM
Screen Shot 2015-07-02 at 10.50.03 AM
Screen Shot 2015-07-07 at 4.37.06 PM


Beginning of the story

Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:

Screen Shot 2015-07-07 at 5.06.03 PMf493908d8528286f25d4a51818c8d45c-1

After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.


The detailed analysis


Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.

The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.

The key code are from 2 dlls:

ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
2015-07-06 22_39_50-ILSpy
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.

Upon launching, the app will first communicate with a command & control server:
2015-07-06 22_38_07-ILSpy

The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.

During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
Screen Shot 2015-07-07 at 2.52.38 PM
In this case, the game will start without phishing.

However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Screen Shot 2015-07-07 at 4.04.55 PM

Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)

Here is the our reversed engineered code showing its logic:
Untitled drawing -2-

The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.

As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.

Cowboy2 -1-

After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:

Untitled drawing -3-

After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.

Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to virustotal.com . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
Screen Shot 2015-07-07 at 3.02.31 PM
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.


Some thoughts

We have to ask: what’s going wrong? The author’s opinion is as follows:

1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.

2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.

3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.

4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.


Update on Jul 9 3pm PST:

After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.

Android Ransomwares: The Escalated Battle

Authors: Tianfang Guo, Jinjian Zhai

When talking about the cybercrime industry, “business model” is more important than the technology itself. According to Security Magazine Cybercrime is costing businesses more than $1,500 per employee annually. That’s a likely a drop in the bucket compared to how much ransomware pirates are extorting from business.

Last year, we published an article “Android Ransomwares – A True Threat or Bluffing”. Reviewing it today, most of the predictions in that article about the technologies used on Android ransomware have come true. Driven by profits, the ransomware makers have shelfed ethicsand laws, trying everything to force the victims pay money. According to the Mcafee lab, the number of ransomwarerequests have grown 165% in Q1 2015. [1]

How can businesses proactively repel Ransomware? Trustlookhas reviewed large amount of ransomware samples in the last few weeks and is building a solution. This article analyzes the ideas and technologies behind the ransomware as well as introducing TrustLook’s solution of detecting them.

Ransomware is best analyzed through 3 key metrics: how they block the normal usage of your phone; in what way they receive a payment from the victim; and how they spread themselves. We will categorize the ransomware by the first and foremost metric, how they block the normal usage, which consists of three classes or levels of harm of severity:

  • Class A: They will cause software level damage to your phone:impairing data, and/or gaining higher privileges to maintain controlling and commanding. These Android ransomware do, on phone, as what the traditional ransomware do on PC.
  • Class B: They will not cause damage or gain higher privilege, but cause trouble on the regular usage of the phone: E.g. popping up “NAG”[2] messages that keep on top of the screen. They can be fixed in an easier way than Class A ransomware.
  • Class C: They do not use any technology to block the usage, instead they rely on fraud information and social engineering to con victims. They are scam apps in natural than ransomware.

We will only discuss Class A and B ransomware in this article. All the malware mentioned in this article is now detected by Trustlook’s security solution.

Class A Ransomwares:

Sample name: Android Performance Enhance
Package name: tx.qq898507339.bzy9
MD5: cdc77f3dfabdea5c5278ac9e50841ff3


  • – Forged into an system enhancement app
  • – Cheat the user to authorize the device admin, including changing screen-unlock password and lock screen permissions.
  • – Lock screen with a password, victims are supposed to contact the author and make a payment to get the unlock password. We pretended to be the victim and contacted the author. He asked 50 RMB (~$9), via AliPay (China’s paypal).
  • – Cannot be uninstalled using ADB due to the device admin privilege
  • – Spread mainly in China, via Baidu “Tieba” (like China’s reddit) and cloud storage

Screen Shot 2015-07-07 at 10.30.59 PM
Ask for device admin

Screen Shot 2015-07-07 at 10.31.55 PM

Lock screen with a password

Remove Difficulty: 4.5 stars
Transmission: 3 stars
Creativity: 3 stars
Overall Severity: 4.5 stars


Sample name: PornPlayer
Package name: com.ayurvedic
MD5: f91b39614dae1aae69337662dd287949


  • – Forged into a porn video player
  • – Ask for device admin for self protection
  • – Encrypt media files using AES algorithm, difficult to recover the files unless intercept the key before it’s sent out
  • – Pop up an always on top window, ask payment for the unlock key
  • – Stealing phone contacts and call logs
  • – Cannot be uninstalled using ADB due to the device admin privilege

Screen Shot 2015-07-07 at 10.33.25 PM


Screen Shot 2015-07-07 at 10.34.19 PM

Our sandbox has clearly intercepted the suspicious encryption operation and the encryption key:

Screen Shot 2015-07-07 at 10.35.17 PM

Remove Difficulty: 5 stars

Transmission: 1 star

Creativity: 2 stars

Overall Severity: 5 stars


Sample name: Flash Player
Package name: com.android.locker
MD5: 645a60e6f4393e4b7e2ae16758dd3a11


  • – Forged into the Flash Player
  • – Ask for device admin for self protection
  • – Forged FBI surveillance message, pop up with an interval of 5s
  • – Ask for $300 via MoneyPak voucher code

Screen Shot 2015-07-07 at 10.36.20 PM

Screen Shot 2015-07-07 at 10.38.19 PM

Screen Shot 2015-07-07 at 10.41.18 PM

Remove Difficulty: 4 stars

Transmission: 2 stars

Creativity: 3 stars

Overall Severity: 4 stars

Class A ransomware summary:

They are one of the most severe type of malware on Android. Their logic is straightforward: block your phone usage, make sure you cannot recover by your own, then ask you “data or money”.

As Android ransomwares don’t have the privilege of their Windows equivalent, the device admin became a critical path for them to do the damage (wipe data, lock screen with password) and self protection – and some users have no idea what device admin is, what can it do and how to revoke it. Even for experienced Android users, they won’t be able to get into the “settings” app to revoke it if the ransomware pops up an always on top activity by applying the SYSTEM_ALERT_WINDOW permission. (or exploiting the device admin vulnerability http://seclab.safe.baidu.com/2014-10/deviceadminexploit2.html)

Even without device admin, the WRITE_EXTERNAL_STORAGE permission will allow the ransomware to encrypt the files on SD card, including the media files, as “hostage”.


Class B Ransomwares:

Sample name: Video Player
Package name: com.adobe.videoprayer
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a video player
  • – Pops up a fake FBI surveillance message
  • – Set the activity always on top. Cannot dismiss using home/return button.
  • – Take photo at background as “evidence”
  • – Access the browser history
  • – Stealing the contacts, threat the user to send the “evidence of watch child pornography” to the victim’s contacts.
  • – Ask $500 via Paypal prepaid voucher card
  • – Send SMS at background to the victim’s contacts with the download link, to spread virally.

Screen Shot 2015-07-07 at 10.42.11 PM

Screen Shot 2015-07-07 at 10.44.06 PM

Screen Shot 2015-07-07 at 10.45.04 PM

Screen Shot 2015-07-07 at 10.48.09 PM

Our sandbox has intercept its background behaviors:

Screen Shot 2015-07-07 at 10.49.16 PM

Remove Difficulty: 3 stars

Transmission: 5 stars

Creativity: 4.5 stars

Overall Severity: 5 stars


Sample name: APK compiler
Package name: com.qq2395414390
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a APK enhancement app
  • – Pops up a windows that always on top. Unable to dismiss using home/return button.
  • – Plays very loud sound. Embarrass the victim in public.
  • – Victims are supposed to contact the author and make a payment.
  • – Spread via “QQ Groupchat”(famous PC messenger in China)

Screen Shot 2015-07-07 at 10.50.32 PM

Remove Difficulty: 2 stars

Transmission: 3 stars

Creativity: 3 stars

Overall Severity: 3 stars



Class B ransomware summary:

The main idea behind Class B ransomware is “social engineering”, rather than technology. They usually use some sneaky ways to make users fear or embarrassed, and pay money.

Most of them will abuse the SYSTEM_ALERT_WINDOW permission, to pop up an always on-top window.

On the other hand, as they don’t have device admin and file encryption, they can be easily killed by a single “adb uninstall” command by an experienced Android user. If their tricks are unveiled.



[1] http://www.mcafee.com/us/about/news/2015/q2/20150609-01.aspx

[2] https://en.wikipedia.org/wiki/Nagware

How apps track your location without asking for permission

Security video surveillance

It’s common sense for Android users to check the permission list before installing an app. If the app asks for access to SMS, your contacts list or location, you know it may disclose your privacy. What if a game app only asked for the wifi_status permission? You might install it with ease – and unknowingly have enabled 3rd parties to track your location!

The Android LocationManager was considered to be the only way to acquire the location data, and required a user’s approval on the ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION permissions. However, researchers at the Technical University of Denmark have discovered a covert channel to locate and track a user without permission by using the latent location signal disclosed by wifi scanning.

Android has opened wifi status data to developers. The only permission needed for developers is ACCESS_WIFI_STATE, which is common and considered low risk (vs.  privacy-sensitive ACCESS_COARSE_LOCATION). Information now accessible to an Android developer includes:

  • Scanned SSID list
  • Scanned BSSID list
  • Signal strength for scanned list
  • IP Address for connected AP


Note that these metrics are accessible even with system wifi and location disabled!  The code can be found here.

A phone can be easily tracked  with the BSSID and signal strength data.

What is BSSID?

BSSID is short for basic service set identification, which is the “MAC address” of the wireless access point. It is  generated by combining the 24 bit Organization Unique Identifier. In short, BSSID is the unique fingerprint for a wifi access point, unlike the SSID which is human readable and can be duplicated.

If we can acquire a list of nearby BSSIDs, while having the wifi Access Points’ (AP) locations, we could locate the user in a small area – as most of the wifi APs are stable and cannot broadcast further than 100m (research shows only 5% of them are mobile APs such as personal devices). Also, by using the real-time signal strength data, we will be able to estimate the user’s moving track.

Next question: How many BSSIDs have known locations? Many, if not most are available, through a variety of services, through API queries. The website wigle.net claims to have 195,741,189 wifi hotspots’ location data:

Screen Shot 2015-06-02 at 6.13.30 PMScreen Shot 2015-06-02 at 6.11.06 PMScreen Shot 2015-06-02 at 6.12.18 PM


Living in the civilized world, could you escape such a web?

In the original paper, “Tracking Human Mobility using WiFi signalsz”, the authors highlight  an example of following a user’s movement,  tracking between home, 2 offices and a market, using the data from only 8 wifi access points:

Screen Shot 2015-06-02 at 6.22.15 PM


They also published a PoC app”WiFi Watchdog” on Google Play, I tried it and it was surprisingly accurate even though this app was granted no location permissions!



The same method also applies to iOS, which has greater user location data privacy protection.  Nonetheless, iOS still allows acquiring the current connected wifi BSSID.



A user can deny the location requests on an iOS device at will. However, an app using wifi BSSID can still get a user’s static location without asking.

Our research team is working on coverage of this covert channel privacy violation. Stay tuned for our update!


[1] http://arxiv.org/pdf/1505.06311v1.pdf

[2] http://en.wikipedia.org/wiki/Service_set_(802.11_network)#Basic_service_set_identification_.28BSSID.29

The 1st and Only Deep Audit Feature in Mobile Security Industry – APK Insider





What is “APK Insider”?

APK Insider is the first and only real time sandbox analysis in mobile security industry. Instead of simply doing the static analysis, it provides deep dynamic analysis to any apps in the device and discover potential 0-day threats.


In what scenario should I use APK Insider?

If you highly suspect if an app will do bad things on your phone – such as send SMS to generate fees, or steal your contacts, you can upload it to APK Insider, and we will run it before you do. Our sandbox will simulate a virtual Android system, and expose potential questionable behaviors upon running the app. Afterwards, a behavior report will be generated, with a conclusion if the app is safe or not.


Where is it?

Click the Menu button at the upright corner, you will see the beta version. Try it and let us know what you think so that we can improve!


How to use?

Choose the apps you want to check, click “Submit” and “Ok, sure” button to start analyzing.

Since we are doing the real-time analysis on our platform, please allow some time to process.

The apps will be categorized automatically into “Analyzed APKs” and be marked as safe or dangerous.

Simply click the dangerous app or the “Uninstall” button to eliminate potential risks.



Currently this feature is in its beta test stage and only open to selected customers.

Cannot see it in your app? Don’t worry, the official version is coming soon!

Let us know what you think if you tried it!

Visual Identity Change Announcement


Dear Customers,

We are delighted to announce this month’s launch of Trustlook’s new Visual Identity Program, marking the next stage our corporate growth. The Visual Identity program will focus on providing a higher level integration of our vision, product and company culture. It will serve to unify and promote Trustlook’s distinct brand in mobile security industry as well as present an image of trust and reliability to worldwide customers. The new identity includes fresh designs for the company logo, app icon, customer website (my.trustlook.com) and official website(www.trustlook.com). The implementation of these visual identity changes will be phased in during the month of May and will be in full effect by June 1st, 2015.



  • Company Logo


  1. The new Trustlook logo design is simple, yet bold. It abandons the previously used “shield” figure and uses a modern red color with a refreshing shape to represent the magnitude of Trustlook brand.
  2. The spiral figure mimics the sharp “lightning” shape that represents the app’s ease of use and our quick response to 0 day malware – we are the only mobile security vendor that provides real-time malware detection.
  3. The spiral figure also mimics the image of DNA. It brings a fresh and unique feeling, which represents Trustlook as new blood in the mobile security industry.
  4. The new spiral logo also relates to the trilateral effort required to meet the three qualifications of trust: ability, integrity and benevolence, as well as the 360-degree approach we embrace as a company.
  5. ** The interim app icon is used temporarily and will be replaced by the new icon after we release our latest version.



  • App Icon


  1. Consistent with Trustlook’s brand image, the new app icon design is based on the new company logo, placed properly to visually balance composition and size. It is vivid and easily recognized in Google Play store as well as on mobile device screens.
  2. The outer circle of the icon, evocative of a scanning process gauge, highlights our app’s main feature – Scanning Malware for Detection on your devices.
  3. The color blue expresses a feeling of trust, reliability, safety, stabilization, and peace. The icon is also a symbol of these promises and just one of many exciting new developments to come.


Screen Shot 2015-05-04 at 3.33.10 PM


Screen Shot 2015-05-04 at 3.33.56 PM



  • Customer Website & Official Website

Based on the new company logo, we have redesigned the firms websites, www.trustlook.com and my.trustlook.com,  Customers seeking Trustlook Antivirus & Mobile Security for their security needs, and business partners who want to find out more about our organization will continue to find our technology platform, news and blogs. The same value and messages we share as a new innovative company are now  presented in crisp, clear and elegant format.  Listening carefully to your input has help us make my.trustlook.com, a more organized and informative interface, helping customers better and more easily manage their mobile devices online.





This new VI program marks a new era in Trustlook’s evolution. It provides us the opportunity to remind our users, partners and investors of the value and impact of our mission;  to become “your mobile security guardian for a Zero Day World”. We believe the new brand design will improve our unique identity around the world.

Let us know what you think!


Best regards,

Trustlook Team



Privacy Defense Battle from Google Play Apps


Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!

[1] https://www.fireeye.com/blog/threat-research/2014/03/a-little-bird-told-me-personal-information-sharing-in-angry-birds-and-its-ad-libraries.html