December 29, 2010

Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild

Looking for more information on mobile threats like Geinimi? Check out Lookout’s Top Threats resource.

The Threat:
A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan  isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.

Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan. If you are already a Lookout user (free or premium), you are protected and no action is needed.

How it Works:
When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and www.piajesj.com. If it connects, Geinimi transmits collected device information to the remote server.

Though we have seen Geinimi communicate with a live server and transmit device data, we have yet to observe a fully operational control server sending commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but we have evidence of the following capabilities:

  • Send location coordinates (fine location)
  • Send device identifiers (IMEI and IMSI)
  • Download and prompt the user to install an app
  • Prompt the user to uninstall an app
  • Enumerate and send a list of installed apps to the server

While Geinimi can remotely initiate an app to be downloaded or uninstalled on a phone, a user still needs to confirm the installation or uninstallation.

Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware. The Lookout Security team is continuing to analyze capabilities of new and existing Geinimi variants and will provide more information as we uncover it.

Who is affected?
Currently we only have evidence that Geinimi is distributed through third-party Chinese app stores. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”). Geinimi could be packaged into applications for Android phones in other geographic regions. We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market.

There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected. As the Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate applications, we’ll provide timely updates.

As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.

How to Stay Safe:

  • Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
  • Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.

With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. Stay tuned for more details on this threat.

Category:   Android  •  Lookout News  •  malware  •  Security
December 22, 2010

We’re Just Getting Started…

2010 has been a tremendous year for Lookout. A few of the more notable accomplishments include winning Best Android App of 2010, being featured on a national TV commercial with Verizon, and being named a PC World Top Tech Product of 2010. We are incredibly proud of what we’ve accomplished, but are most proud of what we’ve been able to do for our users – now more than 4 million strong and growing faster than ever.

With the explosive growth of smartphones and tablets, we continue to aggressively invest in developing the best possible mobile security products for you.  Today I’m excited to announce that Lookout has raised $19.5 million in funding from Index Ventures together with Accel Partners and Khosla Ventures. Index Ventures has deep mobile expertise, a strong international presence and has backed companies such as Skype, MySQL and most recently Flipboard. We are also thrilled to welcome Index partner, Mike Volpi to Lookout’s board of directors.

Our users are what make Lookout great. In 2011, we hope to do even more to protect users and everything they do on their phones. To help us spread the word, we partnered with Adam Lisagor, also known as “Lonely Sandwich” to create a great video to help explain what we do. Check it out below.

On behalf of the entire Lookout team we could not be more thankful for all the success we’ve had this year.

2011 is going to be a big year for Lookout. We’re just getting started.

- John

Category:   Uncategorized
December 15, 2010

Stay Smarter Than Your Smartphone: Ten Tips To Stay Safe

With the holiday season in full swing, more people are using their smartphone for tasks such as last minute shopping, accessing bank accounts, connecting with friends or making shopping lists on their phone. Smartphones are also expected to be one on the top gifts under the tree this season, so millions of new users will be trying out their new phones and looking for tips for getting started and staying safe.

For anyone with a smartphone this season, Lookout Mobile Security, the leading provider of smartphone security, created a quick list of tips to help smartphone owners stay safe this holiday season.

1. Set a password. One of the most common challenges for smartphone owners is losing the phone and all the personal data on it. Setting a strong password for your phone and enabling the screen auto-lock time to be five minutes is the simplest way to keep your personal information private during this busy season.

2. Download the updates for your phone. Always take the extra time to download software updates. Often, they include patches to security flaws recently found in the software.  Just like a desktop or laptop computer, staying up to date is your first line of defense from hackers and viruses.

3. Treat your phone like your PC. As phones become more powerful and consumers do more with them, they become more attractive targets for malicious attacks. Protect yourself and your private data from malware, spyware and malicious apps by downloading a security app like Lookout Mobile Security.

4. Use discretion when downloading apps. One of the most exciting things to do with a new smartphone is explore all the great applications you can download onto it. As you begin to explore, make sure you download responsibly. Only download apps from sites you trust, check the app’s rating and read the reviews to make sure they’re widely used and respected.

5. Pay attention to the private data accessed by apps. Applications have the capability to access a lot of information about you. When you install an app, take the time to read the data and personal information that it needs to access. Whether it is access to your location, your personal information or text messages, it should make sense that the application needs access to those capabilities.

6. Download a “find your phone” app. No matter how diligent you are about keeping your phone on you at all times, you’re bound to lose it once, or it may even get stolen at some point. Download an app that helps you find your phone in case it is lost or stolen. Make sure you can remotely lock your phone if it is lost or stolen.

7. Exercise caution with links in SMS messages. Smishing, or a combination of SMS texting and phishing, is when scammers send you a text to a malicious website or ask you to enter sensitive information. Don’t click on links in text messages or emails if you don’t know the sender or they look suspicious. Trust your instincts.

8. On Public WiFi, limit email, social networking and only window shop. Public WiFi networks have become ubiquitous, but unfortunately securing the websites you may access haven’t. Many websites, email programs, instant messaging programs and social networking sites are not entirely safe to browse or access from a public Wifi network. Also, trying to limit your online shopping to “window shopping” on a public network.

9. Never enter your credit card information on a site that begins with only “http//”. If a website ever asks you to enter your credit card information, you should automatically look to see if the web address begins with “https”.  On unsecured networks, (those that have only have http://), mean a hacker could easily steal information like usernames, passwords and credit card numbers, which could lead to identity theft.

10. Enable a Wipe feature on your phone. If you find yourself (or your phone) in a difficult situation, and you won’t be able to get your phone back, a Wipe application will clear all the data so your private information won’t fall into the wrong hands.  If you can, try to download an app where you can wipe your SD card too.

Category:   Android  •  Apple  •  Lookout News  •  Lost Phone  •  Missing Device  •  Privacy  •  Viruses
December 9, 2010

Android Touch-Event Hijacking

With the recent release of Android 2.3 (Gingerbread), developers can now protect themselves from a new twist on an old bug: TapJacking. Like ClickJacking on the web, TapJacking occurs when a malicious application displays a fake user interface that seems like it can be interacted with, but actually passes interaction events such as finger taps to a hidden user interface behind it. Using this technique, an attacker could potentially trick a user into making purchases, clicking on ads, installing an application, granting permissions, or even wiping all of the data from their phone.

Earlier this year we contacted the Android Security Team at Google about the issue and they were able to build a fix into Android 2.3 (Gingerbread). In Android, an attacker is able to display the fake user interface by creating a customized notification (called a Toast) to obscure the real interface. To allow developers to protect their user interfaces from TapJacking, Android 2.3 added the ability for Views to prevent interaction events when they are obscured by another view. Essentially, this makes a View only usable when it is visible, eliminating the possibility for a user to accidentally interact with a hidden View. The new feature for View objects can be used in two ways: by setting the filterTouchesWhenObscured property to true or by implementing the onFilterTouchEventForSecurity method. It’s important to remember that the new security features require developers to explicitly set them to protect from TapJacking.

How TapJacking works:
On Android, transient notifications are called Toasts and are usually used to pop-up a short message on the surface of a window (similar to Growl notifications on OS X). Toast notifications pass touch events through to whatever UI is below, because developers ordinarily don’t want them to interfere with the functionality of an app. Simple Toast notifications don’t pose much of a risk because they only take up a small part of the screen; however, Toasts are also customizable with layouts just like standard Android UI screens (Activities). A malicious developer can customize a Toast to take over the whole screen and seem like a standard Activity. When creating a full screen Toast, an attacker can use a variety of techniques to trick a user to click a portion of the screen that corresponds to a button or other view on the hidden Activity below. For example, an attacker can ask a user to push a button on the screen to purportedly start a game, the button being in the same position on the screen as a settings checkbox so that when the user presses the button, the touch event toggles the hidden checkbox. Of course, there are a variety of other potential attacks.

Because Toasts only have a 3.5 second lifespan, a TapJacker needs to choreograph a delicate dance to make sure a user always sees the fake UI and not the targeted UI. In our research, we found that it is possible to repeatedly launch Toasts, but there was a brief period of time between the ending of one Toast and the beginning of another Toast where the target Activity underneath was visible. In order to never display the target UI, we found it possible to display a legitimate Activity having the same View as the malicious Toasts during the brief period of time between one Toast ending and another launching. After the next Toast finishes launching, the Activity with the same View as the Toasts is hidden and the target Activity is at the top of the stack, ready to receive user input even though the user cannot see it. The net effect: a user never sees the target Activity. Using this kind technique, an attacker could potentially trick the user into installing an application, granting permissions, or perhaps even wiping their phone of all data.

Proof of Concept

Advisory: LOOK-10-007 – TapJacking

How to protect your app:
If you develop apps for Android, you should make sure that you use some form of TapJacking protection available in the Android SDK for all of you sensitive View elements. Because the protection mechanisms affect individual View elements, you’ll need to explicitly protect each sensitive View element. Usually, you’ll want to either call the setFilterTouchesWhenObserved method or set the android:filterTouchesWhenObscured property in your layout XML to true. For more fine-grained control, you can override the onFilterTouchEventForSecurity method on a View subclass and discard specific MotionEvents to your liking. Remember that these protection mechanisms will also prevent View elements from receiving interaction events when standard toasts are displayed, so be careful where you use these protection mechanisms.

Calling setFilterTouchesWhenObscured:
public class MyActivity extends Activity {
    protected void onCreate(Bundle bundle) {
        super.onCreate(bundle);

        final Button myButton = (Button)findViewById(R.id.button_id);
        myButton.setFilterTouchesWhenObscured(true);

        myButton.setOnClickListener(new View.OnClickListener() {
            // Perform action on click
        }
    }
}

Setting filterTouchesWhenObscured in a layout:
<Button
    android:layout_height="wrap_content"
    android:layout_width="wrap_content"
    android:text="@string/self_destruct"
    android:onClick="selfDestruct"
    android:filterTouchesWhenObscured="true" />

Thanks to the Android Security Team and everyone else who helped get this vulnerability fixed (you know who you are).

Category:   Uncategorized
December 8, 2010

Hey Lookout Fans, We Need Your Help.

Lookout is nominated for the 2010 Crunchies, which is hosted by three of the biggest tech blogs in the world: TechCrunch, GigaOm and VentureBeat. We need you to help us by nominating Lookout for Best Mobile App and Best Startup or Product of 2010! You can nominate us by clicking on the badges below.

And don’t forget to help us spread the word and by sharing your support by becoming a fan on Facebook and Twitter!

Thanks for being a great fan!  The Lookout Team

Category:   Lookout News
December 2, 2010

Lookout Takes a Bite Out of Crime

Lookout is helping fight crime! Recently, a TV news story revealed how Lookout helped local police catch a carjacker within 7 minutes after holding a gun up to the poor victim. And it doesn’t stop there, late last week, we helped NBC25 Michigan anchor, Kim Russell, rid her phone of a virus. After her phone started acting up, she ran a virus scan with Lookout that then identified and uninstalled the virus.

Phone app helps police track down robbery suspect

Smartphone Security Smarts: The steps you need to take to protect your privacy & phone

We never cease to be amazed by the stories we hear from our users. Do you have a story of how Lookout helped save the day? If so, share it with us by sending it in to feedback@lookout.com.

Category:   Android  •  Lookout News  •  Lost Phone  •  Missing Device  •  User story