According to Facebook, more than 500 million people log onto their site each day—and more than half of these users are accessing Facebook from their mobile devices. What many social network users don’t realize is that if they are on public WiFi their information could be visible (and accessible) to third-party hackers.
An Android app is currently available for download that enables just about anyone to snoop on traffic on WiFi networks and even hack into social network accounts. CNET asked Lookout’s Kevin Mahaffey to demonstrate how “one-touch hacking” works and talk about the steps users can take to protect their data while accessing sites over WiFi. Kevin explains that the best way to protect your information, and keep prying eyes off your account, is to manually configure your privacy settings. The next time you are on Facebook, you can go to “account settings,” “security” and select “https.” The “s” at the end of “http” stands for security—and it will enable you to use your social network sites and know that your information is safe.
What are some other apps that Paul can’t live without?Seesmic: an app that enables him to manage multiple social networks across multiple devices.
Moral of the Story: Your phone holds so much important information—sometimes it’s even worth swimming in some trash to get it back.
How Plan B saved the day: One afternoon, Paul’s wife and children set out to go shopping at the mall. A couple hours later Paul received a panicked call from his wife explaining, “I’ve lost my phone!” In an effort to find her phone she returned to the only store she went to that day, but unfortunately no one returned a missing phone to the clerk. The store manager even turned down the music and tried calling the phone—they heard nothing.
“I couldn’t believe the phone was missing. My wife has so much information on her phone—she uses it for everything. We had to try and find it!”
Knowing that most smartphones are GPS enabled, Paul decided to call Verizon and see if they could help him locate the phone. The Verizon representative replied that unfortunately they could not disclose the location of the device—but suggested another solution.
He told Paul that he needed to download Plan B, explaining that it’s his “last resort” to find the missing phone.
Paul listened as the Verizon rep explained how to go to the Android web market and remotely install Plan B onto his wife’s mobile device. Within minutes, Plan B sent a map of the phone’s location to his wife’s Gmail address linked to the Android phone. Paul couldn’t believe it—the map indicated that the phone was still at the mall.
Paul continued to monitor the maps Plan B emailed from home, and at one point, Paul noticed the phone moved location by 200 yards and it now appeared that the phone was outside of the mall.
“When I saw the phone move, I grabbed my blackberry and laptop and headed for the mall!” When Paul arrived at the destination on the map, he found himself facing a dumpster!
“I found the phone in the garbage,” Paul explained.
Somehow the phone was thrown away in a trashcan earlier in the day and was carried outside the mall to the dumpster that night. Even though Paul had to dumpster dive to get his wife’s phone back, Paul maintains that it was worth it. After finding the phone “it was perfectly fine…it didn’t have a single scratch on it!”
Do you have a story to share?
Big thanks to Paul for sharing his story with us. Do you have a super story to share about Lookout? Has Lookout helped you find your lost phone, back up your data, or stop your phone from downloading malicious applications? If so, we would love to hear from you. Send your mobile memoir to superusers@lookout[dot]com. If we select your story, you will get featured on our blog. Start sending those stories in!
Plan B is available for Android 2.2 platforms and earlier.
As a Senior Software Engineer who led the development on Safe Browsing, I wanted to share thoughts on our development philosophy and why Safe Browsing was the next feature developed by Lookout.
A few months ago we spent some time thinking about what we could do next to protect users. Recognizing that people now spend as much time on their phones as their PCs surfing the web, emailing, social networking, etc., we knew people would need protection against web-based threats like phishing attempts. Two other web-based threats we feel will become more problematic over time are drive-by downloads and exploits on websites.
We’ve already talked about phishing at length on the blog, but let me explain drive-by downloads. Last August, we wrote about an SMS Trojan, in which an innocent-seeming movie player app infected a phone with malware that caused the phone to send expensive text messages without the user’s knowledge. This type of malware can also infect a phone or compromise user data when the user visits a web page that triggers a download with or without his consent. For example, earlier this week we identified a malicious website that resembles the Android Market installation screen and tricks people into installing an Android Trojan.
Another growing area of concern is WebKit exploits. WebKit is the underlying rendering engine of most major mobile browsers, including the default Android browser, as well as some desktop browsers. A WebKit bug (vulnerability) could allow someone entry into a phone through the browser and enable them to extract sensitive data from the device. Similar to the malware example, Safe Browsing will detect and block sites that the user is attempting to visit that are capable of damaging or extracting data from users’ phones by exploiting WebKit vulnerabilities.
At Lookout, one of our primary goals is to create a security tool that people don’t just tolerate, but one that they actually love to use. With that goal in mind, we designed Safe Browsing to “just work.” We took extra steps to make sure it would have minimal impact on the way a user currently uses their phone and, importantly, wouldn’t slow our users down. In terms of impact, it won’t affect the battery life on your phone or slow down the time it takes a page to load. If you had two phones next to each other, one running Safe Browsing and the other not, you couldn’t tell the difference. That said, we did want to subtly remind you that we’re working in the background on your behalf. That’s why when you open up the Android browser, you’ll see a “toast” that says “Safe Browsing Active” to remind you that we’ve got your back!
If you click on a link that leads to a suspected malicious site, we warn you and recommend that you not visit the page. As we said earlier, we don’t want to get in your way. Ultimately, you get to make the choice to proceed to visit the page or avoid it.
With the proliferation of mobile devices and the growing variety of uses for them, it’s simply inevitable that vulnerabilities will increase. Our philosophy, as always, is to stay ahead of the curve and ensure that our users have the best protection possible. For a look at how Safe Browsing works, check out our demo, in which my colleague Jenny Roy walks you through the feature.
Lookout has identified a new Android Trojan, GGTracker, which is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent. This can lead to unapproved charges to a victim’s phone bill.
All Lookout Free and Premium users are protected against the GGTracker Trojan. Lookout Safe Browsing (part of Lookout Premium) also detects and blocks access to the URLs involved in serving and operating these malicious applications.
Who is affected?
The Trojan targets users in the United States by interacting with a number of premium SMS subscription services without consent. We believe that Android users are directed to install this Trojan after clicking on a malicious in-app advertisement. If the Trojan is installed, it may subscribe the user to one or several premium rate SMS subscription services. To our knowledge, the malicious application is not found in the Android Market.
How it works
We believe Android users are shown an advertisement that directs them to a malicious website that resembles the Android Market installation screen.
The website entices a user to click-through to download and install an application (in one case, a fake battery optimizer packaged as t4t.pwower.management, and in another a porn app packaged as com.space.sexypic). If the user clicks the install button, the malicious app will begin to download and dialogue appears to direct the user to install via the download notification.
Once activated, GGTracker registers the victim for premium subscription services that would normally require the user to reply or enter a pin on a webpage. The Trojan does this by contacting another server in the background. Malicious behavior is primarily driven on the back-end server with the device used to intercept crucial confirmation data in order to charge users without their consent. For example, in one of the services a user must typically answer 10 questions, enter a device’s phone number and type a PIN code received via SMS in order to sign up for the premium service. The back-end server component of GGTracker will do all of this in the background without the user’s knowledge, or even the ability for the victim to see what’s happening. Charges may be up to $9.99.
How to Stay Safe
Lookout Free and Premium users are already protected from this Trojan. In addition, with Safe Browsing, a Lookout Premium feature, users will also be warned against visiting the malicious websites. As the frequency of these threats increase, there are a few things you can do to stay safe:
After clicking on an advertisement, pay close attention to the page and URL to make sure it matches the website it claimed to have sent you to.
Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. If they claim to have sent you to the Android Market, check to make sure you are actually in the Market before downloading anything.
Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS messages, strange charges on your phone bill or unusual network activity.
Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan. For extra protection, make sure your security app can also protect against malicious websites.
It’s been a momentous month or so in terms of large-scale data breaches that have affected a wide range of companies and their customers’ sensitive data; it’s a wake-up call to see so many happen in such a short time. The motivation behind each hack differs: some hackers do it simply to boost their egos by taking credit for pointing out security vulnerabilities, others to steal information for financial purposes.
But what do these breaches mean for your phone and all the data you keep on it? Sometimes it can lead to phishing, and most of us have heard the word “phishing” before. We’ve even learned how to spot the suspicious-looking emails in our inbox from our desktop computers and know not to click any of the “bad” (i.e., obviously fake) links in the message. Remember these obvious examples: the Nigerian prince who needs a wire transfer for $1,000 but promises to triple your “investment” in a few weeks for your trouble; the not-quite-right bank page asking you for your social security and account numbers. You’d never fall for that, right?
As security technology evolves, however, the bad guys stay in step. We’re starting to see new, more sophisticated phishing attacks—and this time, scammers are no longer targeting just computers; they are targeting mobile devices.
Research has shown that users are three times more likely to click on a suspicious link from their phone as opposed to their PC. What if, for instance, that email asking for help came (or appeared to come) from a personal friend of yours, rather than from an unknown member of the Nigerian royal family? This is an example of “spear phishing,” where the attacks are targeted based on your personal information such as who your contacts are or what bank you use.
Another example is a site that installs malware on your phone without your knowledge. Suppose you receive an email from a friend with a link in it to a “funny video.” You can’t see the majority of the link due to the small form factor of your mobile device, and you have no reason to mistrust your friend, who sends you funny videos all the time. So you click, expecting nothing worse than a bad joke. Instead, however, the site installs malware that can do a lot of damage on your phone.
That’s why we created Safe Browsing as the newest feature in Lookout Premium. As we wrote here yesterday, Safe Browsing enables you to surf the mobile web on your phone more confidently, because we’re doing the work of finding sites that are up to no good.
We can’t guarantee that you’ll never be the victim of a phishing attempt, the same way that we can’t guarantee that you’ll never lose your phone. What we can do is provide peace of mind that if someone’s trying to put one over on you, they’ll have to go through Lookout to do it. And we’re not going to make that easy.
Recently we discovered a new Trojan in the wild, surfacing in alternative Android markets that predominately target Chinese Android users. This Trojan, which we’ve dubbed jSMSHider due to the name used inside the APK, predominantly affects devices with a custom ROM. Custom ROMs are custom built versions of Android, which have been released by third-party groups. The manufacturer or carrier do not traditionally endorse custom ROMs. (If you do not know what a custom ROM is, and do not think you’ve downloaded a custom ROM, you are probably not affected.)
Who is Affected
To date, we have identified eight separate instances of jSMSHider and because the distribution is limited to alternative app markets targeting Chinese Android users, the severity for this threat is low. This Trojan, jSMSHider, predominantly affects devices where the owner has downloaded a custom ROM or rooted phone.
Due to where the malware was found and the limited number of devices the malware could infect, we believe the impact to be limited. All Lookout users are automatically protected from this malware.
How it works
The application follows the common pattern of masquerading as a legitimate application, though a few extra permissions have been added. At first glance, it appears like other recent Android Trojans that tries to take control over the mobile phone by rooting the phone (breaking out of the Android security container), but instead jSMSHider exploits a vulnerability found in the way most custom ROMs sign their system images. The issue arises since publicly available private keys in the Android Open Source Project (AOSP) are often used to sign the custom ROM builds. In the Android security model, any application signed with the same platform signer as the system image can request permissions not available to normal applications, including the ability to install or uninstall applications without user intervention.
In the case of jSMSHider, it installs a secondary payload onto the ROM, giving it the ability to communicate with a remote server and receive commands. If a device is signed with a same platform signer found in the AOSP, the malware can transparently install the second stage payload without user intervention. If the signers do not match, then the application will request the root permission, which on most custom ROMs will prompt the user to grant permission to the application.
If jSMSHider successfully installs the second stage payload, we mapped the capabilities that the malware can perform, which include:
The ability to read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions)
Installing apps transparently on ROMs with a platform signer from the AOSP
Communication with a remote server using DES encryption and base64 encoding with a custom alphabet
Dynamic C&C server addresses and check-in frequency
Download an application from a URL and perform a silent install or update of the APK
Open a URL silently in the background (using the device’s default User-Agent)
To connect to its command and control server, the malware uses multiple subdomains, including:
In three of the samples found, we saw that if jSMSHider cannot successfully install the secondary payload, it can still send SMS messages and open a URL silently in the background. We will update this post with a link to the full teardown.
How to Stay Safe
Lookout Free and Premium users are automatically protected from this threat and do not need to take further action. If you have downloaded a custom ROM, you may be at risk to this threat or future threats that use this vulnerability to gain access to your phone. We recommend that you update your custom ROM if an update is available. We contacted and have worked with developers of some prominent custom ROMs to help them patch this issue. Again, if you don’t know what a custom ROM is you probably don’t have one and are safe.
If you have any further concerns, please contact our support team at support@lookout[dot]com.
We’ve been hard at work since launching Lookout Premium. Thanks for all your great feedback! You do a million things on your smartphone. You check email, play games, visit Facebook and Twitter … the list is huge and growing. (What did we ever do without them?) What about online banking, though? Or online shopping? We know that when it comes to activities involving sensitive personal data, people are typically more cautious. In fact, ComScore recently found that while more and more users are adopting mobile banking, the primary reason why people don’t access financial accounts on their phone is due to security risks – 33%! Your smartphone is your lifeline with tons of personal data on it – so it’s no wonder you want to protect it.
That’s exactly what makes our new Safe Browsing feature so essential. With Safe Browsing, you can surf the Internet on your phone safely, because Lookout quickly detects malicious websites that may be phishing for your personal data and account information or attempting to install malware.
You can click with confidence on links from Facebook, email, text messages, etc. and Safe Browsing checks it out first to make sure it is safe and alerts you if the site appears malicious.
Safe Browsing is part of Lookout Premium and works right with the built-in Android browser only. If you are a Lookout Premium user, you’ll just need to update the Lookout application on your phone to get the advanced security provided by Safe Browsing. Once you update to the latest version (version 6.0.1), you’ll see Safe Browsing added to your Lookout Dashboard. To enable it, select the menu, navigate to settings, and click Safe Browsing.
If you’re not yet a Premium user, Safe Browsing is the perfect reason to upgrade, and to get you started, we’re making it even easier for you to upgrade by giving you a special promotion code for $5 off of the regular annual price that you can use in the next seven days.
For existing Lookout Free users, just open the Lookout app on your phone or log into your account on the Lookout website and choose “Upgrade,” then enter the promotion code STAYSAFEat checkout. For those of you who like to try before you buy, you can also test Safe Browsing as part of our free trial, which gives you all the benefits of Lookout Premium for 14 days and does not require a credit card in advance.
Are you a Sprint user on Android? If so, we have great news for you. Today, Lookout and Sprint announced a partnership to make it even easier for you to get Lookout on your phone – that is, if you don’t already! Lookout will be readily available in the Sprint Zone on all Sprint Android devices. You can find Sprint Zone as an icon on your device or in the Sprint folder in the Android Market.
Sprint is dedicated to helping its users find best-of-breed apps to enhance their mobile experience, and with Lookout, Sprint is helping keep its customers safe to make sure they can get the most out of their device.
If you’re already a Sprint Lookout user, be sure to check out our other announcement today: we just added Safe Browsing to Lookout Premium so that you can click more confidently while browsing the web on your Sprint device. To celebrate, we’re offering $5 off the annual subscription price of Lookout Premium. Just enter promotion code STAYSAFE at checkout after logging into your Lookout account and clicking upgrade.
* Use promotional code STAYSAFE at checkout to receive $5.00 off the regular annual subscription price of $29.99. Promotion expires at 11:59pm PDT on June 22, 2011, and applies only to an annual subscription of Lookout Premium. Offer limited to new Lookout Premium subscribers.
All the recent data breaches mean that phishing attacks could increase too. In the last 6 months alone there were more than one hundred thousand phishing attacks targeting frequently visited social networking sites like Facebook, banking sites, government agencies and donation websites. Large scale data breaches from companies like online gaming to hotels and even major financial institutions have resulted in the anticipation of even more phishing attacks to come. And the newest target is the PC in your pocket – your very own smartphone. With the small form factor of mobile devices, studies show that users are three times more likely to click on a malicious link from their smartphone, compared to their PC. We took a closer look at how these phishing attacks take place in this new infographic below.
As part of the newest feature we are launching today, Safe Browsing, to help smartphone users stay safe from phishing and malware attacks, we are also offering a $5 off promotion good for the next 7 days if you use the code “STAYSAFE” when you purchase an annual subscription to Lookout Premium.
We all heard the warnings leading up to May 21st, 2011 (the alleged day the world would end). But on May 22nd life remained unchanged and everyone forgot about doomsday. That is, everyone except for the unfortunate mobile users who had downloaded a Trojan that continued to plague their phones with a “Rapture” theme.
A legitimate application called “Holy ***king Bible” was found to be repackaged with malware and distributed in alternative markets. Once an Android user downloaded what they assumed to be legitimate application, the Trojan would go to work feeding the infected device’s phone number and operator code back to a host service. The Trojan could then respond to commands from a remote server and set off activities on the device. Users would see a wallpaper caricature of a Stephen Colbert load on their phone. Then, in keeping with the Colbert themed wallpaper, the Trojan accessed all of the contacts on the device and signed each person up to an email mailing list to Colbert’s US-based political action committee: ColbertPAC.
The Trojan was also programmed to send date-specific SMS spam messages to the contacts in their phones. On May 21st these messages read: “cannot talk right now, the world is about to end,” or “just saw the four horsemen of the apocalypse and man did they have the worst case of road rage.”
While this Trojan may seem more ridiculous than malicious—it serves as another reminder of the need for users to protect against the threat of malware. Be sure to take the time to read about the data and personal information apps access, (location, your personal information or text messages), download apps from sites you trust, and check an app’s rating and reviews to determine if an app is widely used and respected…otherwise, the next time you check your phone you may see wallpaper of Colbert looking back at you!