Trustlook Provides Protection Services to Amber Mobile

San Jose, Calif., Dec. 14, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced a partnership with global weather forecasting application Amber Mobile. Trustlook will provide their extensive portfolio of security products to Amber, which will allow them to create a safer internet experience for their users.

Trustlook is the global leader in next-generation cybersecurity products which focus on advanced zero-day prevention. Over the years, Trustlook has been partnered with industry leading enterprises such as Huawei, Amazon, and Qualcomm. Their AI-based mobile security engine boasts a malware detection rate exceeding 98.0 percent, which is currently disrupting an industry full of traditional cybersecurity vendors.

Amber Mobile is a mobile application developer. Their most popular offering is the Amber Weather application, which provides users with global weather forecasting. Amber Weather is available in over 30 languages and has been downloaded over 10 million times. Additionally, Amber provides its weather forecasting data API to other applications with more than 1 million calls daily.

The founder of Amber Mobile, Rui Song, recognizing the grave cybersecurity threats facing organizations today, said, “User security issues are growing more and more important as we continue to gain corporate and individual customers worldwide. Trustlook’s reliable cybersecurity technology can solve this problem and build a safer internet for Amble Mobile’s users”

“As malware attacks are ever-growing, we are glad to see that Amber Mobile has paid attention to the current cybersecurity climate, and we believe that our technology is up to the task of defending Amber’s users”, said Trustlook CEO Allan Zhang.

Through the partnership, Amber Mobile will provide a safer internet environment for their users. Additionally, by collecting malware related data from Amber Mobile, Trustlook will be able to further enhance their already formidable AI technology.

About Trustlook

Trustlook was founded in 2013 with the goal of providing security solutions that go beyond the existing tools available today by detecting and addressing zero-day vulnerabilities and advanced malware. Their innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances and the IoT. The company is managed by leading security experts from Palo Alto Networks, FireEye, Google and Yahoo.

Trustlook Offers Zero-Day Protection Services to NewBornTown

San Jose, Calif., Dec. 12, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced a partnership with global AI service provider NewBornTown. Trustlook will provide their extensive portfolio of security products to NewBornTown, which will allow them to create a safer internet experience for their users.

Trustlook provides cybersecurity support for over 150 million mobile devices worldwide, most of them from ubiquitous brands such as Huawei and Oppo. Having such a widespread presence provides Trustlook a global perspective on the state of mobile security.

NewBornTown is a global AI service provider. In 2013, NewBornTown released the Solo application launcher and was awarded Top Developer and Best App on Google Play. In the past 5 years, NewBornTown has also released a series of mobile apps built upon its SoloAware AI engine. Boasting over 600 million worldwide users, NewBornTown provides apps in categories including as entertainment, fitness, beauty, photography, leisure, gaming, etc.

“ NewBornTown’s products covered several categories, but the common mission of those products is to protect users’ internet security”,CEO of Trustlook Allan Zhang said,“ we are happy that NewBornTown will let Trustlook guard their 600 million users, and Trustlook definitely can cope with the diverse usage scenarios and protection demands with our advanced capabilities in zero-day attack detection and protection”

Through the partnership, NewBornTown will provide a safer internet environment to their users. On the other hand, Trustlook will be able to further develop AI technology using the most up-to-date data, further enhancing their already formidable performance.

About Trustlook

Trustlook was founded in 2013 with the goal of providing security solutions that go beyond the existing tools available today by detecting and addressing zero-day vulnerabilities and advanced malware. Their innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances and the IoT. The company is managed by leading security experts from Palo Alto Networks, FireEye, Google and Yahoo.

Do You Know Where the Internet is Most Dangerous?

Trustlook, the global leader of AI-powered cybersecurity has published an internet security map based on data they collected.

Trustlook provides cybersecurity support for over 150 million mobile devices worldwide, most of them from ubiquitous brands such as Huawei and Oppo. Having such a widespread presence provides Trustlook a global perspective on the state of mobile security.

Based on data collected during September 2018, Trustlook has discovered that China has the largest quantity of malware in the world, and that regions such as Africa and Oceania have the highest mobile infection rates.

China has the largest quantity of mobile malware in the world.

Trustlook collects mobile security data during the process of protecting user devices, scanning their phones or IoT devices for malicious applications and files. For data collection, different applications count as different samples but the same application in different devices count as the same sample; the resulting “malware count” of a region refers to the number of unique malware endemic there.

According to the data, China’s malware count is the highest, followed by the United States, Canada, Indonesia, and Brazil. In the following table, countries and regions are sorted by their malware counts.

The most obvious caveat is that these regions have higher counts because there are more users and applications. Markets such as China and the United States are frankly much larger than other sampling regions, motivating more malware diversity and development.

Therefore the data for malware count in each region is not as meaningful as it would appear at first glance. A deeper analysis of the data was required, to see if the regions with top malware counts are actually as dangerous as they seem.

Africa and Oceania have the highest malware concentration.

When discussing whether a region’s internet is safe, it makes more sense to measure the ratio of malware counts to data samples rather than the malware count. This way, we can better quantify the malware concentration of a particular region.

According to Trustlook’s analyses, the malware to sample ratio is highest in the Solomon Islands, followed by Palau, Haiti, and Burundi.

Surprisingly, China which has the highest malware count isn’t even in the top 30 when using the new metric. We can also see from the above table that there are no North American or European countries within the top 30 and only one country, Afghanistan, from Asia.

Beijing, Chengdu and Guangzhou cultivate the most malware samples

There is big differences between different cities in China in malware counts. Beijing, Chengdu and Guangzhou, and Shanghai lead the pack in having the most malware in their citizens’ mobile devices.

There are no boundaries inside a country’s internet, which is divided by different languages and cultures. It is hard to say these cities are more dangerous, and the reasons behind the virus number maybe because there are some common behaviors between their citizen, which means a typical group of users and people, and developers should pay attention to.

Trustlook’s mission is to defend every mobile device and everyone’s cybersecurity.

PolySwarm Marketplace Partners With Trustlook to Offer New Zero-Day Protection Services

San Jose, Calif., Nov. 28, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced the partnership with decentralized threat intelligence marketplace PolySwarm.  Trustlook will provide additional security services to Polyswarm’s platform, which will strengthen their ability to detect and prevent zero-day attacks.

Polyswarm is a decentralized security marketplace which provides tools and services that experts use to tailor make anti-malware engines. PolySwarm incentivizes a global community of information security experts to disrupt the $8.5 billion cyber threat intelligence industry, providing enterprises and consumers with unprecedented speed and accuracy in threat detection. 

Trustlook is the global leader in next-generation cybersecurity products which focus on advanced zero-day prevention. Over the years, Trustlook has been the partner of first tier enterprises like Huawei, Amazon and Qualcomm. Their AI-based mobile security engine boasts a malware detection rate of over 98.0 percent. 

“As malware attacks are ever-growing, PolySwarm’s decentralized platform demonstrates a new way to protect the internet,” CEO of Trustlook Allan Zhang said, “Trustlook is happy to support PolySwarm’s growth with our advanced capabilities in zero-day attack detection and protection.”

By joining the PolySwarm platform, Trustlook will be able to train AI models using the most up-to-date attack behavior, further enhancing their already formidable performance. On the other hand, PolySwarm will gain the capabilities and expertise of a reputable and battle-proven vendor like Trustlook.

“We are very excited to have Trustlook join the growing network of PolySwarm’s micro-engines,” said Steve Bassi, PolySwarm CEO. “With a continuous stream of high-powered security engines joining the PolySwarm network, our ability to combat threats and ensure enterprises are properly fortified against evolving malware keeps getting stronger.”

About Trustlook
Trustlook was founded in 2013 with the goal of providing security solutions that go beyond the existing tools available today by detecting and addressing zero-day vulnerabilities and advanced malware. Their innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances and the IoT. The company is managed by leading security experts from Palo Alto Networks, FireEye, Google and Yahoo.

About PolySwarm
PolySwarm is the first decentralized marketplace allowing security experts to build anti-malware engines that compete to protect consumers. Providing enterprises and consumers with unprecedented speed and accuracy in threat detection. The PolySwarm market runs on Nectar (NCT), an ERC20-compatible utility token. For more information, please visit PolySwarm.io.


Trustlook Announces New Security Solution For Zero-Day Attacks

San Jose, Calif., Nov. 12, 2018, Trustlook, the global leader of AI-powered cybersecurity, today announced the release of Revere, a new kernel-level security solution which provides efficient and reliable security protection for Internet of Things (IoT) devices.

Today’s IoT devices like smart door locks, webcams, smart speakers, drones, and cars, which run on Linux or Android operating systems, are vulnerable to zero-day attacks, enabling hackers to simply access users’ privacy and life safety.

Current evidence shows that the number of IoT device attacks is overgrowing. According to the Kaspersky Lab IoT report, the number of malware detection for IoT devices in the first half of 2018 was more than triple the amount of IoT malware seen in the whole of 2017, and in 2017 there were ten times more than in 2016. A recent F5 Networks report suggests that IoT devices have become the number one attack target on the Internet, surpassing the total amount of attack to web and application servers, email servers, and databases.

The most reliable security solutions are built into the operating system. “Trustlook has discovered in practice that putting the security module in the kernel is faster and more responsive than not using kernel. It is difficult to hide things from the kernel,” said Trustlook CEO Allan Zhang.

The new Revere solution can protect the system from the foundational layer: When a program makes a system call to the kernel, the Revere module can collect the behavior data of the program. Based on newly input data, a built-in AI model, which has been well trained on a large amount of training data samples, will make accurate predictions of various types of abnormal behaviors, such as privilege escalations, malware downloads, DOS/DDOS network attacks, brute-force password cracking, system file tampering, and privacy data theft, thereby preventing various types of zero-day attacks.

Key benefits of the new Revere solution include:

  • Secure and fast: Revere is more secure and response faster than traditional security engine, especially for time-sensitive applications, such as smart speakers that contain sensitive data or cars that involve personal safety.
  • Compatible: Revere applies to most Linux-based IoT devices as its security examination will be finished in kernel.
  • Intelligent: Trustlook Security Lab collects all types of IoT device attack behavior data to train AI models and upgrade remotely to maintain its predictive protection against the latest attacks. Revere’s zero-day attack detection and prevention is beyond the capability of most traditional signature-based security engines.
  • Efficient: Revere’s on-device detection model consumes a relatively small amount of resources and delivers stable performance. For example, on an IP camera running embedded Linux, Revere consumes less than 1% of CPU capacity in standby mode, less than 3% during most active operations, and occupies at most 5MB of memory.

Trustlook currently provides an SDK-based solution for Revere, while developing a cloud service platform, which allows vendors to monitor the system security in real time. In the future, Trustlook will provide customers with a full-stack IoT security solution from devices to the cloud.

About Trustlook:

Trustlook is the global leader in next-generation cybersecurity products based on artificial intelligence. The company’s innovative SECUREai engine delivers the performance and scalability needed to provide total threat protection against malware and other forms of attack. Trustlook’s solutions protect mobile devices, network appliances, and IoT. For many years, Trustlook has served Huawei, Amazon, Qualcomm and other leading hardware and software vendors.

Find out more at: trustlook.com

Black Hat 2018 is a Wrap!

Black Hat Las Vegas seems to get bigger and better every year. This year was no different. Trustlook was thrilled to be a part of the show, and would like to say thanks to all those who stopped by our booth at Innovation City. There were some great conversations and a lot of shared learnings on the future of cybersecurity for IoT devices.

IMG_20180808_101233448

Black Hat was also an opportunity for Trustlook to announce our latest product, SECUREai Core Detect. This product allows IT administrators to quickly see what IoT devices are on their network. In addition, sophisticated algorithms continually analyze communication to and from every device, instantly identifying anomalies and suspicious network behavior.

To learn more about SECUREai Core Detect, please click here. You can also contact bd@trustlook.com to schedule a demo.

Bangle Android App Packer: Unpacking & Analysis

Trustlook Labs has identified a malicious app which is most likely using social engineering attacks to trick users to install it. The app (MD5: eb9d394c1277372f01e36168a8587016) is packed by Bangle packer. The main activity triggering installation of the app is “com.goplaycn.googleinstall.activity.SplashActivity.” However, that activity is not found anywhere in the decompiled code:

image1

A closer look at what is happening in the code
From class SecAppWrapper, there is a “System.loadLibrary” call to load “secShell.” The native layer code in the module is responsible for decrypting and loading the app’s primary payload from “assets\secData0.jar,” which is a zipped DEX file after it’s decrypted.

image3

image2

Most method names in the “secShell” module are obfuscated, and their strings are decrypted when in use.

image5

The app detects most hooking and patching frameworks, such as Xposed. Xposed is a framework for manipulating Android applications’ flow at runtime.

image4

image7

The app forks a child process and calls “ptrace” to attach to the parent to prevent any attaching attempts by debuggers. The multiple processes trace one another to make sure the children stay alive.

image6

image9

image8

The app also monitors values in the /proc files system to check the status of the process.

image12

The JNI_OnLoad function in the “secShell” module has switch branches. One branch is responsible for anti-debugging, the other (located at 0x7543EAE4 below) will lead to the main DEX module for decrypting.

image10

The following is the decrypting function:

image11

image13

After the anti-debugging is bypassed, the function “p34D946B85C4E13BE6E95110517F61C41” decrypts the data. Register R0 contains the file location, as identified by the header bytes “PK\x03\x04.” R1 stores the size of the file.

image14

image15

We can dump the memory:

image16

After unzipping the file, we get the DEX file which can be viewed normally:

image17

Summary
Android packers are valuable tools used to protect the intellectual property of legitimate mobile application developers. However, they can be also used for nefarious purposes, and make analyzing malicious apps more difficult. Trustlook Labs continues to work on identifying malicious applications to protect our customers and the mobile ecosystem.