Trustlook’s New App Addresses Widespread Qualcomm Vulnerability

Trustlook is taking steps to combat a widespread vulnerability affecting millions of Android devices. First discovered by FireEye in March 2016, the vulnerability is present in all Android Jelly Bean, KitKat and Lollipop phones using Qualcomm CPUs. On these devices, third party apps could gain special system privileges, or access to a user’s SMS database and phone history, without a user’s knowledge.

To determine if a user device is vulnerable to this threat, Trustlook released a free Qualcomm Vulnerability Scanner application (available here) to enable any Android phone owner to check for this security threat. If the device is exposed, a user may be able to download a software update from the device manufacturer that contains a security patch.

A major concern is that for many devices, there may be no fix available because the device is no longer supported by the manufacturer with regular updates and security patches. The only foolproof way to eliminate the vulnerability is to get a new device or install a mobile security app on the phone.

Trustlook is working on providing additional protection against potential exploits of the Qualcomm vulnerability, particularly for devices that currently lack a security patch for the system software, in its core Trustlook Mobile Security application. Please stay tuned for updates on this. In the meantime, you are highly encouraged to download the Qualcomm Vulnerability Scanner to determine if your device is at risk.

Organized Crime using Rootkit – The analysis of the Triada malware

– Trustlook Research Team

Trustlook Research Team recently researched a complicated malware which utilizes Rootkit SDK to facilitate malicious behaviors.

MD5: 3B71DEBDE5F6A3E4D2E9321266DA76F7

Package name: fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl

  1. The sample uses a popular root SDK (Root Genius, com.shuame.rootgenius.sdk) to root the user’s phone in order to get root privilege. It first checks if the phone has been rooted. If not, it will collect the phone’s device info (such as the Android version/SDK version/product ID and so on) and upload that information to the server to find the appropriate root exploit. It then downloads the root exploit to the phone, uncompresses it, and decrypts it for rooting.
  2. root_checkFig.1. Check if the phone has been rootedrg_root_param

    Fig.2. Collect the phone’s info for downloading the suitable root exploit from the server

  3. The sample uses the “com.android.essdk.eyou.b.b” SDK to deduct a fee from a user’s phone bill by sending an SMS to some high premium numbers. It also monitors the user’s SMS inbox and intercepts the reply SMS from the high premium numbers that notify the user the phone has just ordered some service, the filter keywords for interception are as follows: 10086/成功订购/和视频/和视界/1065/1066(some high premium number start with this num)

sms_inteceptFig.3. Intercept the confirmation SMS sent from the high premium numbers

SMS_interception_2Fig.4. Intercept the confirmation SMS containing some special keywords

  1. The sample uses some tricks to evade static detection, such as putting together a string by joining some chars dynamically. The malware puts together the string “SMS_RECEIVED” and “WAP_PUSH_RECEIVED” to evade the static detection of the anti-virus vendor.join_the_str_dynamicallyFig.5. Putting together the sensitive string by joining them dynamically
  2. The sample uses a filter to filter out the SMS that contains some keywords, these keywords are stored in a local Database located in /data/data/fbkgofn.jpcebbe.mcdfpda.decjehi.kmnkgeg.kdgkohl/databases/zhifu, the database’s name is zhifu, the table’s name is block.zhifu_dbFig.6. The database that storing the SMS filter keywords and the AD display setting

The database’s structure is as follows:

sms_block_filter_dbFig.7. The table information of the SMS filter sms_block_db_keysFig.8. All the keys of the SMS filter table

21 Percent of Trustlook Users Are Victims of Identity Theft

Identity Theft continues to be a hot topic on consumers’ minds, according to a recent study from Trustlook Mobile Security, an innovator in next-generation mobile security solutions. The study, based on 438 responses to a survey sent to Trustlook’s user base in March 2016, revealed that a whopping 21 percent of the company’s user base has been victimized by identity theft.

Trustlook’s free identity check feature, named ID Check, was built in response to the increasing number of data breaches across the corporate world. These data breaches typically lead to full-fledged identity theft. According to the Privacy Rights Clearinghouse, over 900 individual data breaches by US companies and government agencies have occurred since January 2005, which together have involved over 200 million total records containing sensitive personal information.

With ID Check, Trustlook users know whether they have been a victim of any past data breaches, and are alerted if they are involved in future breaches. The feature is easily accessible from within the Trustlook Mobile Security application. Once one runs the ID Check feature, our secure servers constantly monitor the data breaches happening here at home and all over the globe to keep any vulnerabilities at bay. By referencing both international and local threats, Trustlook offers industry leading coverage with detection in mere minutes.

Trustlook’s ID Check feature comes at a perfect time and fills a growing need in the market. According to its study, 73 percent of users have never used a tool to monitor their identity, and 49 percent are not even aware that such identity-monitoring tools exist. With more retail and consumer-based companies becoming victims of hackers and phishing software, using Trustlook’s app as the frontrunner in mobile security could save a lot of heartache and headaches.

Download the Trustlook Mobile Security app.

Trustlook Launches SkyEye Malware Lookup Portal

Are you looking for information on the latest malicious mobile apps? If so, you are now in luck. Trustlook Mobile Security has just released a new tool that contains information on millions of apps. The tool provides an app summary, as well as a summary of the app’s behavior, from critical to normal. You also have the option to see a Full Report on each mobile app. Check out the SkeEye tool here.

Trustlook Antivirus & Mobile Security Android Video

Here is the newest video from the Trustlook Team. Featuring all of our advanced security properties and protecting your device from malware, cyber attacks, phishing, viruses, ID theft, and hacking. Trustlook is the security app made for the modern day world.

Please check it out and download in the Google Play store today! Let friends and family know how much you enjoy the Trustlook app on social media and follow us on Facebook and Twitter!

Trustlook Protects 400M AirDroid and Solo Launcher Users

Trustlook has announced partnerships with leading mobile apps AirDroid and Solo Launcher. The Trustlook Mobile Security engine will be embedded within both apps, giving users the opportunity to benefit from Trustlook’s easy-to-use protection from malware and privacy threats.

AirDroid is one of the top apps in the Tools category. The app enables users to access and manage their Android phone or tablet from a computer or on the Web, wirelessly and for free. It lets users transfer files, sideload apps, and even send text messages without picking up their phone.

Solo Launcher is one of the top apps in the Personalization category. The app enables users to customize the interface on a device. It can also improve device performance by restoring memory, boosting speed and clearing storage. Its in-app-search and recommendation features are well recognized by users.

The demand for mobile threat protection has never been stronger. In the third quarter alone, 574,706 different malware strains were found, which is a 50 percent increase compared to the same period last year, according to global security firm G Data. The numbers are expected to grow significantly in 2016.

The partnerships with these lading apps emphasize Trustlook’s intention of making its award-winning security solutions available to Enterprises. Trustlook will announce OEM offerings and additional partnerships with top applications throughout 2016.

Download the Trustlook Mobile Security app.

A Collection of Ads Behind Your Favorite Game App With More Than 6 Million Downloads

– By Trustlook Research Team

A popular Chinese game with more than 6 million downloads secretly promotes other apps using a well-protected and widely used advertisement library.

Package name: com.xyz.ddz

Chinese App name: 欢乐逗地主

Download count: 6,000,000+

Icon:icon

Trustlook has discovered a serious adware intrusion within one of the most popular game apps in China. Immediately after installation, the app behaves normally, in which a user can play the game without restrictions or advertisements.After approximately 4 hours , various types of pop up large screen advertisements (i.e. adware) are displayed, even when the app is not in use.

The app is able to display this adware by importing two ad libraries. These libraries are implemented using native methods, including communicating with the Host App when prompted by the ad. These two ad libraries are widely used, but many anti-virus vendors are not able to detect them. All of the strings in these ad libraries are encrypted, and together these ad libraries adopt at least 8 methods to display ads, including:

  • To display the ad in the middle of the launcher
  • To display the installation notification (which can not be closed) in the middle of the launcher
  • To display the ad in the middle of the browser
  • To display the ad banner at the top of the browser
  • To display the ad banner at the bottom of the browser
  • To display the ad banner at the top of the input method
  • To display a floating ad banner with the Angry Bird icon
  • To dreate a promoted app icon in the launcher

One of the most popular implementations of this adware is an ad in the middle of the launcher. If you click the ad, then one of the following three APKs will be downloaded:

  • Qihoo mobile assistant APK (when you click the first Ad screen)
  • Qihoo browser APK (when you click the second Ad screen)
  • Jiuyou APK (when you click the third Ad screen)

ad1

 

ad2

 

After you have downloaded the APK file, a pop up window will notify you to install the downloaded APK file. If you click the Cancel button, every 30 minutes or when you attempt to unlock your phone, the same pop up window will be displayed asking if you would like to install the APK. And this pop up doesn’t have a “close” button or feature. It’s a never ending loop that creates a trap for the user.

qihoo_notify12

 

If you click the “Enter” button(which the app forces because there is no other option to bypass the action), it will pop up this window:

qihoo_notify2

 

When you open a browser, such as Google Chrome, the ads will be displayed at the top, bottom, or middle of the page. A message also shows up in the notification bar of your device.

browser1

browser2

browser3

browser4

 

And the ad displayed in the notification bar.

notify

Ad displayed in the browser:

browser5

 

browser6

 

If you click the banner ad that is displayed on the bottom of a browser window, the following window containing three app icons will appear.

8

 

In addition to the pop up ad displaying the three app icons, a floating banner icon, which is the same in appearance as the Angry bird icon below, will appear on your home screen.

9

 

If you click the Angry Birds icon, it will pop up a window with a list of apps, like this:

10

 

11

 

After the app has been installed for 5 hours, it will create a shortcut to the Qihoo mobile assistant on the launcher screen, no matter if you close the ad or not. Sometimes the ad will pop up suddenly and erratically. 

15

 

16

 

Unfortunately, this shortcut is not a real shortcut that points to the Qihoo mobile assistant app. Instead it points to the Qihoo mobile assistant APK file, which located in the sdcard in the path:

/sdcard/Download/oO_zziS7cMk=/uLRFttrgta+JdOk+ycQ

/0Mdf4fxaQpU1MNb+F6O3YquZI+c= The game didn’t install the Qihoo 360 app, but if you click this icon, it will begin to install the Qihoo mobile assistant app.

17

 

After further analysis of this app, we discovered that the advertisement function is implemented in this module: com.xyz.ddz.gauxsw.

pkg

Most strings are encrypted in the function of com.xyz.ddz.gauxsw.d.a.a.a():

19

 

The encryption routine first decodes the string (the first parameter of this function) in base64 format, then xor it with every byte in the second parameter (“7b120431-5374-40d1-84d6-624980271ac8”):

20 21

 

22

Trustlook created a tool to decrypt it, which revealed the following strings:

decrypt_

 

24

 

From the analysis we know that the ad is displayed by the com.yt.uulib and  youtou.ad.api SDK, which are two popular adware libraries.

These two ad libraries are able to display ads in two ways:

  • Floating banner
  • Fixed banner

We found that the app used the self-protect function to protect itself and to evade anti-virus vendors. It runs 3 processes (it runs one first, which then forks into two more). When you close any of them, it will restart and run the 3 processes again:

proc1

We also found that this app uses the native library to notify the main app to activate the the native library file. It is named daemon_exe, is a .so file, and placed in:

/data/data/com.xyz.ddz/files/jklm/VTcJhWmfUI6zvrYHQ0kO63_GpIHWtI2t/IL2msjinFbNh3jOA/RwR-jYJzNcY=/vR48I2IAv5GNfwRrMoe0zA==/daemon_exe

The main app will check if the user’s phone is rooted. If it is, the main app will load the daemon_exe into system as the root user:

proc2

After the analysis of this native library file, we found that its main function is to communicate with the main app by local tcp connection (127.0.0.1:5037(0x13AD)) and then send the broadcast to it for waking up and displaying the ad.

proc4

system

 

After the execution, the native library will execute this command as the root user:

/system/bin/am broadcast -a com.uu.action.wakeup –es start_bc_send_id $ro.build.version.sdk(var)$ –include-stopped-packages –user 0

This command will send a broadcast, whose action is com.uu.action.wakeup and it will take the key-value string pair start_bc_send_id”:$ro.build.version.sdk(var)$ and the phone’s sdk num and the –include-stopped-packages as the parameter.

From the manifest, we know that this broadcast could be received by com.xyz.ddz.gauxsw.a.e.a:

manifest

At the time of this release, the Trustlook Mobile Security app and Blue Frog Mobile Security app teams have detected the malicious behaviors of the sample being studied.