October 31, 2011

All Treats and No Tricks When You Keep Your Phone Secure

Boo! It’s Halloween and also the end of National Cyber Security Awareness Month.  Our phones are so spookily important to us that 80% of you who responded to our Facebook poll said you’d go without either coffee, TV or chocolate rather than give up your smartphone for a month. To keep our most precious mobile devices safe, we’ve had a full month of spreading awareness of simple steps to secure your phone and the sensitive data you put on it.


National Cyber Security Month by the numbers:

Here’s a recap of our tips to secure your smartphone. Don’t be spooked of the bogeymen of stolen data or hacked phones when you take a few simple precautions.

  • Set a passcode for your phone. We love this xkcd comic about setting a strong password.
  • Use discretion when downloading apps, especially when downloading from 3rd party markets. Always check the permissions the app is asking for and the developer’s name, ratings and reviews.
  • Refrain from using unsecured Wifi; it’s like sending your sensitive data over the air in a clear envelope so anyone could see the contents. If you are really dying of boredom at the airport, just window shop, avoid email, online shopping and social networks.
  • Keep your phone’s software up to date. Operating system updates often include patches to known security vulnerabilities.
  • Download a mobile security app like Lookout, available for Android or iPhone mobile security.

Just because National Cyber Security Awareness Month is ending doesn’t mean you can revert to bad habits like downloading shady apps or leaving your phone lying around without a passcode. Our smartphones and tablets are mini computers we rely on everyday.  Spreading awareness for safe smartphone usage is an ongoing effort that involves everyone. Continue to share our tips with your friends and family—because cyber security awareness doesn’t end today—it lasts all year long!

*Photos courtesy: Gadgetsin.com and Applegazette.com.

Category:   Android  •  Apple  •  iPhone  •  Lookout News  •  Lookout Premium  •  Privacy  •  Security
October 28, 2011

Dispelling the Battery Life Myth

The year was 2003. Our 8th grade valedictorian was deep into her very own “this is our time” graduation speech, but she lost me at “My fellow graduates.” I was too busy fantasizing about the sleek, cutting-edge Motorola cell phone that awaited me after I got my meaningless Middle School diploma. She was really something— fully stocked with a color screen, alarm clock, and insanely long battery life, my first cell phone will forever hold a special place in my heart.

Fast forward almost ten years later, and kids yet to hit puberty are sporting mobile devices that have revolutionized the way people communicate. Yes, in the year 2011, the smartphone is king. But even kings have their flaws. True, my first cell phone didn’t act as a flashlight or tell me how to tie a tie, but at least it didn’t have inconvenient two-a-day charging sessions. Smartphone battery life, or lack thereof, is a common complaint amongst most users. So how can someone enjoy Google and Apple’s gifts to mankind when they’re plugged into a wall three hours a day? You can’t— at least not fully.

Now, rumor has it that Lookout is a no-no for people who are concerned with battery life. Some claim that because our program runs quietly in the background during routine maintenance, it’s constantly draining energy from your smartphone without you knowing it.  Objection!  While it is true that Lookout performs daily/weekly scans or backups depending on your preference, our studies show that in these cases battery exhaustion is the power equivalent of making a 30-second phone call. Frequent use of the find my phone feature (and I’m talking daily) will have a more noticeable effect because of the GPS connection requirement, but even this takes just three minutes. Not to worry, that’s like listening to one song on Pandora.

For those who may be skeptical of Lookout’s internal battery testing, take a look at this Reddit post. This user was able to keep their HTC Wildfire running for 29 days without a single charge. And what did they have running in the background? Lookout Mobile Security, of course. So rest easy my fellow smartphoners, and consider the Lookout battery exhaustion myth busted!

Category:   Uncategorized
October 27, 2011

Updating Your Phone & Downloading A Security App

Cupcake. Eclair. Gingerbread. Ice Cream Sandwich. All delicious treats in their own right, these sugary desserts have something else in common— they’re Android OS versions. Creativity aside, the importance of updating your smartphone to the latest version often gets overlooked by users who are unaware of the benefits. Whether they are iOS or Android, big or small, updates do much more than speed up your device or tweak your user interface. They often contain critical security patches that make sure your Android or iPhone doesn’t become a hacker’s playground.

Android updates are pushed to people over-the-air. You, the user, will see a notification on the home screen prompting you to accept the update. To check the success of an install or to update your Android manually, follow these 4 simple steps:

1. Push the “Menu” button from the Home screen.
2. Touch the screen or use the navigator wheel to select the “Settings” option.
3. With the “Settings” menu, select the “About Phone” option that is found towards the bottom of the list.
4. Touch the “System Updates” option. This causes the phone to look for any new Android updates. If an update is available, the phone will download and install it. If your system is up-to-date, then it will tell you that as well.

With the release of iOS5, Apple has also instituted the over-the-air update process too. Yet if a user’s phone is running on an older operating system, iPhone users need to physically connect their device to their computers and follow these directions:

1. Verify that you are using the latest version of iTunes (before connecting your iOS device).
2. Select your iOS device when it appears in iTunes under Devices.
3. Select the Summary tab.
4. Click “Check for Update.”

Along with checking for software updates, downloading a mobile security app like Lookout is another crucial step in protecting your phone.  Just as you protect your PC, you should protect your phone against malware and spyware. When you download new apps, shop online, browse social networks, or use your phone for banking, security apps like ours will be there to protect you. So do your small part, download a security app and make sure your smartphone is always running on the most up-to-date operating system.
Category:   Android  •  Apple  •  Attacks
October 26, 2011

Got an Android Tablet? Lookout is Here For You!

With more than 63 million estimated to sell in 2011, tablets are unquestionably this year’s must-have device. If you don’t already own a tablet, you’re probably thinking—or dreaming—about buying one. Whether you own one now or are planning to purchase a tablet this holiday, keeping your tablet safe and secure will be top of mind.

Whether it’s WiFi-Only or it Has a Data Plan, We’ve Got You Covered.
At Lookout, we know tablets are the new mobile frontier, so we made our same smartphone security protection and find-my-phone functionality available on any tablet or iPad—including Honeycomb, Ice Cream Sandwich and WiFi-only tablets. So regardless of which kind of tablet or iPad you have, you can keep your device safe.

Already Have Lookout on Your Smartphone? Manage Your Tablet from the Same Lookout Account. If you’re already using Lookout on your smartphone, you can now easily add a tablet to your account so all of your mobile devices are managed in one place at lookout.com. Also, Lookout automatically updates over-the-air, making it easier on you to keep your most personal devices safe.

So if you’re touting a tablet, secure it with Lookout! The Lookout Mobile Security app is available for download in the App Store or Android Market for free.

Your tablet is just as important as your phone (and likely has a higher price tag) so we wouldn’t recommend on skimping to keep it safe!

Category:   Android  •  Apple  •  Back Up Restore  •  iPhone  •  Lookout News  •  Lookout Premium  •  Lost Phone  •  malware  •  Security
October 21, 2011

Google’s Ice Cream Sandwich Will Help Protect the Gooey Goodness Inside Your Phone

The moment we’ve all been waiting for is almost here. A stunning upgrade to the Android operating system is just a few weeks away.  Ice Cream Sandwich will be shipping on the stylish and blazingly fast Samsung Galaxy Nexus in November. In May, Google announced a commitment with every major carrier and device manufacturer to support upgrading capable devices to the latest version of Android for 18 months after the device ships, so hopefully we’ll all be seeing Ice Cream Sandwich on our own devices soon, too!

Ice Cream Sandwich is a feature-packed release alongside an entire redesign of the Android UI.  Some of the noteworthy improvements include:

Improved multitasking. Ice Cream Sandwich allows you to see all open apps simultaneously and easily close apps you are done with by swiping them off the screen.

Single-motion panoramic photos.  Take a large panoramic photo by simply moving your camera slowly from one side to the other.

Real-time voice dictation.  Watch text appear in any input field as you speak naturally.

These are just some of the many features in Ice Cream Sandwich that I’m excited about.  But we here at Lookout don’t just love our phones; we also love anything that makes our phones safer.  There are a few ways in which Ice Cream Sandwich should help give you more control over your phone and keep your most personal computer and most personal data safe.

Owner info in the lock screen: You can now optionally include a personal message on your lock screen in case you lose your phone and someone else finds it and the screen is locked (you do have a passcode set, right)? This should help increase the chances and reduce the time it takes to recover a lost device.  If you wish to include contact details in your message, remember not to use your cell phone number (unless it’s a Google Voice number you can check from another source).

Full device encryption: You can encrypt the entirety of your phone and this feature will be available for all your Android devices running Ice Cream Sandwich.  Once your device is encrypted it will be very difficult for anyone to access any of your data without knowing your PIN or passcode.  The setup takes about an hour to do and is not reversible without factory resetting your phone.  Also you should be aware that if you forget your passcode there is no “Lost Password” button and all your data will be lost permanently (you can still factory reset your device though).

Enhanced Control/Management of Apps

Prior to Ice Cream Sandwich, if an app was preloaded on a mobile device, users were unable to remove these applications.  Now, users will have two options at their disposal:

Disable preloaded apps: While you can’t uninstall preloaded applications since they are on the system partition of the device, you can now disable them.  A disabled app cannot launch, access any information or even display an icon in your App Tray.  It’s inoperable unless you re-enable it.

Disable background data for specific apps: If background data is disabled for an application, it can now only access the network if it’s currently running in the foreground.  While this feature seems to be intended to prevent a data-hogging app from using all your bandwidth if you’re not lucky enough to be on an unlimited data plan, it can also be used to protect your private information.  For example, Google Maps needs access to your location while you are engaging with the app.   But if you’d prefer it not collect and send information about you while you aren’t interacting with it, you can disable background data for the specific app.  A word of warning though: just because an application can’t access your network doesn’t mean it can’t send data over WiFi.

My face is my passport, verify me:
Step aside standard number and swipe unlock codes: Ice Cream Sandwich will allow users to unlock their phones using facial recognition.  Users will simply point the phone’s camera at their face to unlock their device.  If it doesn’t recognize you (because you are in the dark, shaved your beard, got plastic surgery or are wearing too much makeup) then it will ask for an unlock code.  (Note: there has been some speculation that you will be able to bypass this lock by pointing the camera at a good picture of the person in question: Tim Bray, a Developer Advocate for Android, insists via Twitter that you can’t unlock it with a photograph).

I’ll reserve my judgment on this feature until I get a chance to play with it, as it is not included in the emulators that shipped with the Android 4.0 SDK as far as I can tell.

Overall, I think including your contact details on your lock screen, being able to encrypt your whole device and the enhanced control over applications included in Ice Cream Sandwich’s new security features look to offer enhanced protection for the Android platform.  As an Android user, I can’t wait for Ice Cream Sandwich to start rolling onto my favorite Android devices.  As a developer I can’t wait to get started playing around with the new APIs to deliver great new features to Lookout Mobile Security!

Category:   Android  •  Lookout News  •  Privacy  •  Security
October 20, 2011

Security Alert: Legacy Makes Another Appearance, Meet Legacy Native (LeNa)

The Threat

Recently, Lookout identified a new Android Trojan, LeNa, which is an evolution of the Legacy variant discovered earlier this year (also known as DroidKungFu). Previous Legacy variants were spotted only in alternative app markets and forums in China, collecting various details about users’ Android devices.  More recently, we discovered a variant of Legacy, which we are calling LegacyNative (LeNa) that was predominately found in alternative Chinese Markets, but a couple instances were also found on the Android Market. LeNa has similar capabilities as its predecessors, but it uses new techniques to gain a foothold on mobile devices.

All Lookout users are already protected against LeNa.  We let Google know about the variants and all LeNa infected apps were promptly removed from the Android Market.

How it Works

Unlike its predecessors, LeNa does not come with an exploit to root the device, rather it requests privileged access on a pre-rooted device.  On un-rooted devices, it offers “helpful” instructions on how to root the phone.  In some samples, LeNa is re-packaged into apps (a VPN management tool, for instance) that could conceivably require root privileges to function properly.  Other samples attempt to convince the user that root access is required to update. Once the user grants LeNa with root privileges, it starts its infection process in the background, while performing the advertised application tasks in the foreground.

Once on a user’s device, the Trojan takes a different tactic than previously seen to infect and launch the malware. LeNa hides itself inside an application that is native to the device (an ELF Binary). This is the first time an Android Trojan has relied fully on a native ELF binary as opposed to a typical VM-based Android application. In essence LeNa trojanizes the phone’s system processes, latching itself onto an application that is native to the device and critical to making the phone function properly.

Our analysis shows it having a number of malicious capabilities after requesting root access:

  • Communicating with a command and control (C & C) server
  • Downloading, installing and opening applications
  • Initiating web browser activity
  • Updating installed binaries, and more.

While analyzing and watching LeNa, we’ve seen quite a few things that were pushed by the server. One of the applications being pushed by the C&C server was a DroidDream infected application. This may show a possible correlation between the creators of the DroidDream/DroidDreamLight variants of Android malware and the Legacy variants.

Click here for the complete technical teardown on LeNa.

Who is affected?

Though LeNa has primarily been distributed through third-party markets, a handful of samples were removed from the Android Market.  Among the infected apps are One Key VPN and Easy VPN. In total, LeNa was repackaged in over 40 applications, often utility applications (VPN app, a Reader app, security application, etc.).

How to Stay Safe

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
Category:   Android  •  malware
October 19, 2011

Making a Connection: Using Public WiFi

As part of National Cyber Security Awareness Month, we have been reminding our users to treat their smartphones and tablets as mini-computers.   Just like your computer, your smartphone has access to WiFi networks.  A quick Google search for “public WiFi” will give you plenty of articles with tips on how to stay safe while on public WiFi on your PC, like this slideshow from PC Mag.  But how do you make sure the data on your phone is protected as well?

Public WiFi networks, the kind you find for free in coffee shops and airports, are usually unsecured; this means that all of the data sent over the network is unencrypted.  Sending data unencrypted (e.g. via HTTP rather than HTTPS) is like sending your sensitive data in clear envelope so that everyone can see its contents rather than in an opaque envelope. So while the free Internet connection may seem convenient, if you are connected to an unencrypted network, anyone with the right tools would be able to see where you are surfing, the emails you are sending, and potentially even the passwords that you enter.

The key to securing the activity on your phone from prying eyes is pretty simple: you need to encrypt it. Here are 7 actions you can take to ensure you are surfing the web in the safest way possible:

If possible, connect to an encrypted WiFi network.  In general, a network that requires a password is safer than a network without a password because of the encryption.  Just because you are paying for Wi-Fi, that doesn’t mean it is secure, anyone with the same password could potentially access your data.  Tip: Many people think that paid WiFi hotspots are more secure than free hotspots.  While this may be somewhat true, just because you are paying for WiFi doesn’t mean it is secure – paid hotspots are almost always unencrypted and just use a captive Web portal to prevent access if you haven’t paid yet.

Let your device forget any public networks to which you have previously connected. To prevent reconnection:

  • On Android: Go to Settings > Wireless & networks > WiFi settings > Click on the open network name and hold down until you see a menu, then click “Forget Network”
  • On iPhone: Go to Settings > WiFi > Click on the blue arrow next to the network name and then select “Forget this Network” at the top of the page

Use encrypted websites
Even if you aren’t able to connect to a secure WiFi network, you can still protect your data by using websites with SSL encryption (note: the URL will start with HTTPS instead of HTTP are encrypted).   You will also see a lock next to the URL that lets you know your data is protected.  Check out this video of Lookout’s CTO, Kevin Mahaffey, giving a demonstration on how to ensure you are using SSL encryption whenever possible.

Use your data connection
When you are away from your home or work network, you can’t go wrong with using your 3G or 4G cell data connection instead. Even though it is a little slower and it uses your battery more than sending data over WiFi, it is a secure connection.  Most cell service providers encrypt the traffic between cell towers and your device, so you can send emails and check your bank account balance with the peace of mind that your data is secure.

Download a security app that notifies you as soon as you connect to an unsecured WiFi hotspot.  iPhone users can download Lookout to alert them if they connect to an unsecured WiFi hotspot that could expose their personal data and passwords.

Only window shop
If you can’t take any of the actions above to protect your data, you can still surf the web, but we recommend that you wait until you are on a secure connection to transmit sensitive data.  Just imagine that a stranger is looking over your shoulder the whole time and can see everything that you do on your phone – and don’t do anything that you wouldn’t want them to see!

Consider using VPN if your device supports it
For those of you that may be a bit more tech-savvy, the most secure way you can connect to WiFi on your phone is through a VPN, because all of your data is sent through an encrypted tunnel.  Both Android and iOS include VPN support, and this article from eSecurityPlanet gives you some quick options for how to set it up.

The great thing about the Internet is the ability to be connected and online 24/7.  There is an unlimited amount of information at our fingertips and we can easily communicate with anyone at the click of a button.  But with this connectivity comes security risk when it comes to your personal information.  We just want to make sure that you aware of the security risks so you can keep your data and your phone protected.

Category:   Android  •  Apple  •  Lookout News  •  Privacy  •  Security
October 18, 2011

Protect your iPhone! Lookout for iPhone Available Free from the App Store

You go everywhere and do everything with your iPhone – it’s your social calendar, your address book, your photo bragbook, your checkbook, and your touchstone to the outside world. As much as we love and rely on our iPhones we want to keep them safe, and keeping your iPhone safe should be simple. That’s why we built Lookout for iPhone as a single, easy to use app that keeps your iPhone safe and secure. Now you can download it for free from the Apple App Store.

When developing Lookout for iPhone, we focused on the issues most important to iPhone users. In a recent survey by Javelin Research, we found that 93% of iPhone users have concerns about the security of data stored on their phones. In addition, four out every ten users are unsure about the security of public WiFi and more than a third of users do not regularly sync their iPhone. So we made sure that Lookout can quickly find your phone if it’s lost or stolen, back up your precious data without syncing, and help you avoid connecting to unsecured WiFi or other actions that might expose the personal information on your iPhone. We can also restore your data to a different smartphone or even an iPad or tablet.

Lookout unites complete security and privacy protection in a simple yet powerful app. Whether you’re concerned about a network connection, wondering about the security of the software on your phone, or have suddenly lost track of your iPhone, Lookout has you covered. You can always rely on Lookout to protect your phone and your personal information. Lookout for iPhone includes:

Missing Device. Lookout can quickly find your lost or stolen phone on a map and sound a loud alarm to find it nearby – even if it’s set on silent and stuck in the couch cushions!

Security. Never before could you keep your iPhone  safe and secure with a single app. Lookout walks you through a few simple steps to protect your privacy and secure your iPhone.

  • System Advisor notifies you of iPhone settings or software that could put your privacy at risk. Lookout tells you if your iPhone software is out-of-date, which could mean you are missing recent fixes to security vulnerabilities. It also lets you know if your iPhone is “Jailbroken” which could leave you more susceptible to security threats.
  • Location Services enable you to take control of your privacy by showing you which apps can access your location, helping you make more informed decisions about the apps you download and keep.
  • WiFi Security warns you if you connect to an unsecured WiFi network to ensure that you don’t expose sensitive personal data like passwords or account information.

Backup & Restore. With Lookout, your contacts are automatically backed up no matter where you are. Over-the-air backup means that your contacts are always safe – even when you haven’t had time to sync your iPhone. You can view your data on the secure Lookout website at any time and restore your data to the same iPhone or a new iPhone, other smartphone or iPad.

Management. Lookout for iPhone can help you keep tabs on all of your important mobile devices – from your iPhone or iPad to an Android phone or tablet – all from a single, easy to use dashboard on our secure website.

Stay tuned for more details on all the exciting and useful features in Lookout for iPhone later this week. In the meantime, try out our new app for your iPhone, iPad or iPod Touch and tell us what you think! Lookout Mobile Security is now available for download in the App Store for FREE! Your iPhone is your lifeline, why wouldn’t you protect it?

Category:   Apple  •  iPhone  •  Lookout News  •  Missing Device  •  Privacy
October 17, 2011

Twitter Phishing Scam: “So I guess there’s a bad blog going around about you, seen it?”

There is a new scam being sent around on Twitter, very similar to a phishing scam written about in July by NakedSecurity.  It all starts when you receive a Direct Message from a friend letting you know that a ‘bad blog’ has been published about you, along with a link that urges you to check it out.

If you click on the link, you are taken to a page that looks almost identical to the Twitter homepage.  However, the URL of this webpage is twittler.com instead of twitter.com, which on a mobile device is even harder to distinguish because they are so small.  If you mistake this fake page for the actual login screen and enter your login information, the people behind the phishing scam now have access to your account and can continue sending the scam to all of your Twitter contacts.

Many people are understandably worried after receiving a message that suggests there is a negative blog post written about them, and have fallen victim to this scam.   If you were tricked don’t worry, you aren’t alone:

  • Change your Twitter password immediately. If you use that password for other accounts, change them too and moving forward don’t use the same login for two different accounts
  • Let all of your followers know about the scam and tell them not to click on any links from you
  • Visit the Twitter Help Center for more tips

Some useful tips to stay safe in the future:

  • Don’t click on a link if something looks fishy. (Tiny URLs are great to use on Twitter but you don’t always know where the link will lead you.  A simple tool like LinkPeelr will help you get to the real destination of the link, and you can decide whether or not that destination is safe.)
  • Use a strong password, and don’t use the same password for multiple websites.
  • Follow Twitter’s @Spam and @Safety accounts for timely information on new scams.
  • Download a security app like Lookout that reviews every link you click to make sure it’s safe.
Category:   Phishing  •  Safe Browsing  •  Twitter
October 13, 2011

Security Alert: Fake Netflix App Aids Phishing

A new Android phishing scheme posing as an unofficial Netflix app has been discovered outside of the official Android Market. The app asks for users’ Netflix usernames and passwords and sends them to a phishing server. The app was not posted to the Android Market, so the risk for most users is quite low.

The Threat

When the app is launched, the user is presented with a login dialog requesting an email address and password.  Instead of submitting those credentials to Netflix, the app collects the credentials and sends them to a remote server. This server now appears to be offline and unavailable. The app then presents an error screen to the user indicating incompatibility with the device.

While it is possible that the developers of this app sought access to Netflix accounts, we find it unlikely that that was the actual goal of the phishing scheme. Given the tendency of people to use the same password across many different accounts, we speculate that the authors sought to gather email addresses along with passwords that could likely be used to gain access into other accounts like email, Facebook, banking accounts and more.

Who Is Affected

The app seems to take advantage of the fact that the official Netflix Android application was not previously available for all Android devices. This app targets users who, due to being on a device that was unsupported by the official app, were looking for an alternative to watch Netflix movies. The official Netflix application has been available for some time, but it was only downloadable via the official Android Market by a restricted group of devices and platform versions, which Netflix said was due to wanting to provide the best possible experience for users.

With rumors circulating that the app actually does work on a broader range of platforms, users have extracted binaries and shared copies of the official application on Internet file sharing sites such as Mediafire.

How to Stay Safe

All Lookout users are already protected against this threat.  If you have not downloaded an unofficial Netflix app outside of the Android Market, you are probably safe. If you believe you may have inadvertently downloaded this phishing app, you should change your Netflix password as well as any other passwords that shared that same password.

As always, we urge you to pay close attention to the apps you are downloading. Remember to:

  • Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions match the features the app provides.
  • Be aware that unusual behavior on your phone or unexplained charges on your phone bill could be a sign that your phone is infected.
  • Download a mobile security app for your phone that scans every app you download. Lookout users are automatically protected against this phishing app.
  • Don’t share passwords across different logins.  Create different passwords for all your online logins and avoid simplistic passwords, such as the last four digits of your phone number, or public information (birthday).  As a general rule of thumb, if the passcode information may be available on Facebook—don’t use it for your code.
Category:   Uncategorized