July 28, 2015

What you need to know about the new Android vulnerability, “Stagefright”

What is Stagefright?

Yesterday a security researcher revealed a series of high-severity vulnerabilities related to Stagefright, a native Android media player, that affect nearly all Android devices in the world. The Stagefright vulnerabilities carry serious security implications: an attacker could exploit them to remotely control and steal data from a device by sending a victim a multimedia message (MMS) packaged with an exploit.

Read More

July 10, 2015

Jailbreaking not a requirement for infecting iPhones with Hacking Team spyware

This week, the security world exploded with the news that Hacking Team, a vendor of Italian spyware — software that captures Skype, message, location, social media, audio, visual, and more data, and is marketed as “stealth” and “untraceable” — was hacked.

One of the major takeaways is that a significant number of governments in the world, Hacking Team’s customers, are actively seeking to compromise iOS and Android devices, likely to access the trove of data stored on or accessed by these mobile devices.

When it comes to iOS, public reports to-date have claimed that the Hacking Team spyware can only infect jailbroken iOS devices. In an effort to educate iOS users about the potential risks, we did some additional research and determined this is not the case.

While Apple does an admirable job protecting users from most malicious software, the fact is that non-jailbroken devices can be infected with Hacking Team’s spyware too.

Up until a couple days ago, when Apple rightfully revoked it, Hacking Team possessed an Apple enterprise certificate, which allows apps signed with that certificate to be installed on any iOS device, jailbroken or not. Hacking Team used this certificate to sign an app, that is actually spyware and hidden in the native Newsstand app, so that it could be distributed to any iOS device. This is despite Hacking Team’s own claims, from a likely outdated pricing sheet included in the dump, that target iOS devices need to be jailbroken.

What’s an enterprise certificate?
Apple created enterprise certificates to allow enterprises to develop and distribute custom apps without requiring Apple’s review and App Store distribution. This is a standard practice among enterprises that create and distribute their own apps to employees. Enterprises are supposed to install these apps only on employee devices, but technically an enterprise certificate can be used to install an app on any iOS device. When this enterprise certificate program is abused, it circumvents the excellent job Apple does in vetting apps for security issues and creates an avenue for the distribution of malicious software.

For its part, Apple created security warnings to inform users before they install apps from outside the App Store. The challenge, however, is that recent research states that people are getting increasingly conditioned to ignore these security warnings.

Here’s what the warning looks like when Hacking Team’s fake Newsstand app is installed on a non-jailbroken iPhone:
pasted image 0

Once a user clicks “trust,” the app is fully functional on the non-jailbroken iPhone.

iPhone users can get apps from outside the App Store?
Yes, people can sideload apps onto non-jailbroken phones. Through apps signed by enterprise or developer certificates, iOS users can get apps installed on their devices that circumvent the fundamental security measures Apple has built into the App Store. Indeed, because the App Store is a relatively secure environment, most of the more recent iOS threats that have affected non-jailbroken devices have infected them by abusing the iOS enterprise distribution method. It’s always paramount that people trust the source of their applications — whether it’s an app store, their IT department or another third-party.

How does Hacking Team get its spyware onto non-jailbroken iPhones?
It appears there are three ways Hacking Team could get its spyware onto iOS devices:

  • An OS X app sideloads an iOS app automatically to a device when it’s plugged in via USB. This also appears to be bundled with a jailbreak exploit that may work on older versions of iOS.
  • There is a Windows desktop app that appears to do the same.
  • By clicking on a link to download from a website, email, etc. on the mobile device

With this specific attack, we believe physical access to the device was required, but Hacking Team’s possession of an enterprise certificate means that there’s the potential for other flavors of this attack that could be delivered via a web browser (drive by download), phishing email or other remote means.

Once on the device, the app installs itself as a newspaper in the native Newsstand app with an invisible icon and a blank app name.

Here, the Newsstand looks empty:

Screen Shot 2015-07-10 at 12.03.35 PM

However, one can see the app is really there in the Newsstand and the General Settings pane, shown below:

Screen Shot 2015-07-10 at 12.04.12 PM

Once installed, the app openly asks for permission to access the data it wants. At that point, it starts tracking the user’s location, calendar and contacts.

Screen Shot 2015-07-10 at 12.04.40 PM

The app asks for permission to access all of this information, so it is likely that the attack vector for this app involves installing it secretly on a target’s device and granting it all the permissions.

It also captures what is typed on the keyboard. The PlugIns folder contains a payload program that adds a new keyboard option to the device, as you see below:

Screen Shot 2015-07-10 at 12.05.15 PM

Again, somebody with physical access to the device would need to configure the keyboard to switch to Hacking Team’s keyboard. However, the keyboard itself looks identical to iOS’s built-in keyboard, so the target would not know they were using a keyboard that is secretly sending their keystrokes to a remote server. Here is a screenshot of the malicious keyboard:

Screen Shot 2015-07-10 at 12.05.53 PM

It’s important to note that Apple does have some safeguards built into its third party keyboard support, which does not allow the keyboard to run in a field that is marked as a password field, so this tool won’t be able to steal passwords from properly implemented apps and websites, but it can be used to steal usernames, contents of emails, and other sensitive data.


There are two very significant takeaways for mobile security out of this week’s buzz about the Hacking Team breach:

  1. We now know that attackers around the world have both the intent to compromise iOS and Android devices and access to the technology to do so.
  2. Specific to iOS, devices do not need to be jailbroken to be compromised. The fact that Hacking Team possessed an enterprise certificate gave it the ability to infect any iOS device. This opens up the pool of potential victims way beyond the roughly 8% of people globally who have jailbroken their devices.

So what can you do about it? First off, don’t freak out. Chances are, you do not have Hacking Team’s surveillanceware on your device. To check for this specific instance of Hacking Team’s surveillanceware you can:

  • Check iOS Settings for any apps with an empty name.

Screen Shot 2015-07-10 at 12.06.17 PM

  • Check iOS Settings -> General -> Keyboard -> Keyboards to make sure that only keyboards you have installed are set up on your device.

Screen Shot 2015-07-10 at 12.06.47 PM

And, here are some general tips for staying safe:

  • Keep a passcode on your phone. A lot of spyware sold on the market requires that the attacker have physical access to the target device to install the software. Putting a passcode on your phone makes it that much harder for them.
  • Don’t download apps from third party marketplaces or links online. Spyware is also distributed through these means. Only download from official and vetted marketplaces such as the Apple App Store and Google Play.
  • Don’t jailbreak your device unless you really know what you’re doing. Because jailbroken iOS devices are inherently less protected, they are more vulnerable to attack when security protection measures aren’t properly enabled.
  • Download a security app that can stop attacks before they do harm. Lookout does this, but if you’re not a Lookout user, ask your security provider if they detect Hacking Team and other forms of spyware.
July 1, 2015

Japanese malware abuses service helping the disabled use smartphones; spies on victims and steals LINE data

The accessibility service in Android helps give the disabled and individuals with restricted access to their phones alternative ways to interact with their mobile devices. It also has unintentionally opened the door for Japanese surveillanceware to steal data from LINE, the most popular messaging service in Japan.

After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat.


AndroRATIntern is surveillanceware developed from the AndroRAT malware toolkit. It is commercially sold under the name “AndroidAnalyzer” and is notably the first piece of malware we’ve ever seen abusing the Android accessibility service to steal data.

It targets the Japanese market and can collect a broad amount of data from infected devices, including LINE messages, contact data, call logs, SMS, audio, video, photos, SD card changes, and GPS location. Given the scope of the data collected, the threat to both individuals and enterprises is clear.

AndroRATIntern must be locally installed and  therefore requires a malicious actor to have physical, unmonitored access to the target device, making it a much more targeted threat that cannot be spread by drive-by-download campaigns.

Stealing LINE data

If a person reads a message within an app, the content is protected and generally unavailable to other apps because the app lives in a sandbox. The accessibility service, however, can provide an app with access to other app’s data when accessed by the device user. This enables specific accessibility features such as text-to-speech, which can help visually-impaired users. In the case of  AndroRATIntern, the use of the accessibility service enables the threat to capture LINE messages when they are opened by the victim on an infected device.

Surveillanceware itself as a target

One of the risks associated with surveillanceware like AndroRATInternisn’t just that the person who installed the threat on your device has your data, but that company that offers the surveillanceware may have your data as well and itself become a target of attack.

In May 2015, for example, malicious actors compromised the commercial surveillanceware product mSpy stealing Apple IDs and passwords, tracking data, and more from hundreds of thousands of victims, according to Brian Krebs. A surveillanceware service provider can have a veritable warehouse of valuable data collected from successfully-infected devices  and this warehouse can be an attractive target for attackers.

Data is mobile

Mobile devices clearly house a lot of interesting data on an individual or a company. You can come to know who a person talks to, what they’re talking about, where they go, and what they’re saving to their phone.

AndroRATIntern’s abuse of the accessibility service highlights the importance of not relying solely on OS-based security to protect mobile data as it is, in fact, a malicious use of a legitimate OS service.

As an Android system service, the accessibility service operates outside of the normal app permission model and AndroRATIntern abuses this ability to circumvent app sandboxing measures intended to protect mobile data.

However, following some simple tips can dramatically help keep your data safe:

  • Keep a passcode on your device —  it will be significantly harder for someone to download and install anything to your phone if it’s locked
  • Download security software that can tell you if malicious software is running on your device
June 3, 2015

The mobile threat landscape in the eyes of a CSO

This week, former Cigna CISO Craig Shumard (who is also a consultant for Lookout) published an article in CSO explaining what the mobile threat landscape really looks like in reaction to a number of reports suggesting that mobile malware is no problem.

His biggest takeaway? Where the market for mobile malware is still maturing, the overall mobile device is not a perfectly secure piece of technology to be put in a drawer and worried about later.

We’ve received a number of queries regarding these reports, and we believe Craig’s article is a great explanation of the mobile threat landscape.

Shumard writes, “The [Verizon] report clearly highlights that malware infections are low, but it also shows two issues with direct impact to consumers and enterprises alike: vulnerabilities and data leakage.”

Read the article in full here.

June 2, 2015

CISOs ask and we answer: Why enterprises should care about mobile security

Why should I, as an enterprise, care about mobile security?

It’s a question I’ve heard a lot since Lookout started developing Mobile Threat Protection, our brand new product announced today that will protect large, global enterprises from mobile threats using our predictive technology.

Read More

May 20, 2015

European growth looms large with Gert-Jan Schenk on-board as VP of EMEA

It’s been more than three years now since Lookout opened its doors in Europe. The team counts tremendous success, including building EMEA into the largest market for Lookout outside of North America and developing partnerships with major carriers including Deutsche Telekom, Orange, and EE. Now, it’s time to dig our heels in even more as we welcome Gert-Jan Schenck as VP of EMEA.

Read More

March 24, 2015

Mobile Privacy IQ

Lookout today announced the findings of its Mobile Privacy IQ study, a survey of smartphone owners in the United States, that examines data-based trends about our privacy mindsets and how they inform our perceptions, behaviors, and feelings toward privacy when using mobile devices.

What we found is that despite being increasingly tuned in to the importance of protecting the data on their mobile devices, a clear disconnect exists between people’s understanding of what it means to be privacy conscious and the actions they take in the real world.

Key findings include:

  • People (particularly Millennials) claim to be highly aware of privacy issues yet still take part in risky mobile behavior like downloading apps from unofficial app stores and not reading app permissions.
  • Although people express concern over how mobile apps are handling their information, they are willing to make the trade-off for convenience over privacy.
  • A large percentage of smartphone owners care least about protecting work data on their devices, placing personal data over all other forms.

Interested in learning more? Read the full findings of Lookout’s Mobile Privacy IQ study.

March 20, 2015

The FREAK vuln: What it is and what you can do

What is the FREAK vulnerability?

FREAK is the latest in a line of recently uncovered vulnerabilities affecting the way communications are secured over the Internet. Specifically, it impacts SSL/TLS and stands for “Factoring attack on RSA-EXPORT Keys”. The bug allows an attacker to sit between your HTTPS connection and the vulnerable client or server and force you to use a less secure version of encryption. This downgraded encryption may allow an attacker to obtain your data.

Is Lookout affected?

No, Lookout’s infrastructure is not impacted by the FREAK vulnerability. Users are not at risk through Lookout’s product, however, that does not mean that your device itself is not otherwise vulnerable.

What can I do to protect myself?

Unfortunately, like the Heartbleed and POODLE vulnerabilities, people need to wait for a patch from their carrier or device manufacturer to be released. Apple has released a patch for Safari on iOS and Mac OS. Google has promised a patch, but has not yet released one.

If you’ve received an official manufacturer or carrier update to your operating system, install it!

March 19, 2015

Lookout scores top talent in CMO and VP of Platform Products hires

In the continued quest to build out the best leadership in the industry, Lookout has hired a chief marketing officer, Deb Wolf, and vice president of platform products, Santosh Krishnan.

Deb and Santosh will help Lookout seize the opportunity we have across both consumer and enterprise businesses by accelerating our ability to deliver innovative products and develop successful relationships with our customers. But what was it that brought these accomplished leaders to Lookout? It’s always best to hear directly from the source.

Read More

March 18, 2015

13 more pieces of adware slip into the Google Play store


Unfortunately, even official app stores’ app-vetting systems are not perfect. Lookout has found 13 instances, or apps, with adware in Google Play, some of which pretend to be Facebook and have malware-like characteristics making it difficult to remove from the phone.

We alerted Google to these 13 instances and the company quickly removed them from the store. All Lookout users are protected against this threat.

Read More