January 27, 2012

Lookout’s take on the ‘Apperhand’ SDK (aka ‘Android.Counterclank’)

Today, news came out that claimed a particular family of malware, termed ‘Android.Counterclank’, had infected 5 million users. We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK is an aggressive form of ad network and should be taken seriously.

This isn’t malware.
The average Android user probably doesn’t want applications that contain Apperhand on his or her phone, but we see no evidence of outright malicious behavior. In fact, almost all of the capabilities attributed to these applications are also attributable to a class of more aggressive ad networks – this includes placing search icons onto the mobile desktop and pushing advertisements through the notifications bar.

Malware is defined as software that is designed to engage in malicious behavior on a device. Malware can also be used to steal personal information from a mobile device that could result in identity theft or financial fraud.

Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.

We’re researching ad networks closely.
We spend a significant amount of time looking not just at mobile apps, but also at SDKs that are commonly integrated into apps. We’ve recently been focusing heavily on the capabilities of various mobile advertising SDKs. We believe that ad networks are important for the overall mobile ecosystem; however, some advertising networks go beyond the commonly accepted behavior of ad networks with more aggressive tactics.

This particular ad network SDK, com.apperhand, bears similarities to one previously distributed in a number of apps in June of 2011 as the “ChoopCheec platform” or “Plankton”.  Early incarnations of this SDK crossed several privacy lines in the data it collected about users, but the current version does appear to have cleaned up its act somewhat. That said, the current SDK has several capabilities that are common to many ad networks:

  1. It is capable of identifying the user uniquely by their IMEI, for instance, but unlike some networks this SDK forward-hashes the IMEI before sending to its server. They’re identifying your device, but they are obfuscating the raw data.
  2. The SDK has the capability to deliver “Push Notification” ads to the user. We’re not huge fans of push notifications, but we also don’t consider push notification advertising to be malware.
  3. The SDK drops a search icon onto the desktop. Again, we consider it bad form, though we don’t consider this a smoking gun for malware provided the content that is delivered is safe.  In this case, it is simply a link to a search engine.
  4. The SDK also has the capability to push bookmarks to the browser.  In our opinion, this crosses a line; although we do not believe this is cause to classify the SDK as malware.

Of the applications that were originally identified as malicious, a subset of them have subsequently been pulled from the Android Market. However, it’s important to note that this does not include all identified applications, and reasons for removal may also include content, copyright, or other violations of the Android Market’s Terms of Service.

We’re continuing our investigation.
At this point, it appears that what we’re seeing is an example of an ad network that pushes the lines of privacy. Over the past few months we have been closely tracking this, and we are seeing a trend of this type of behavior. While this is not malware, we do think that consumers should take it seriously, and we’re actively working on a solution to help users understand whether applications have potentially undesirable behavior such as this while not creating unnecessary worry.

Lookout believes in educating our users about the apps that they’re installing. We’ll have more to share about what we’re working on in this area in the coming weeks – stay tuned.

If you have questions, please comment or write us.


Category:   Android  •  Lookout News  •  Privacy  •  Security  •  Uncategorized
January 26, 2012

Lookout Super User: Natisha

Occupation: Surgical Nurse

Location: New York

Lookout user since: 2010

Favorite Lookout feature: Security Scan

What Natisha uses her phone for? “Everything!”

How Natisha learned about Lookout: “I was browsing for apps and found Lookout. I noticed that the app was highly rated and that the reviews said it was very ‘easy-to-use.’ They were right—I’m sure glad I downloaded Lookout!”

Moral of the story:
“Lookout saved me! Lookout stopped me from downloading a bad application on my phone.”

How Lookout Saved the Day for Natisha:
“My sister and I were installing apps to our phone, and we came across a game app that we both had been interested in downloading. When I went to install the app, I immediately got a notification from Lookout, alerting me that the content I was attempting to download was from a bad source. Without a second thought I refused it. I let my sister know that the app was not safe to download, but she didn’t believe me. If she had downloaded your app, she would have been protected!”

Category:   Lookout News  •  malware  •  User story
January 24, 2012

Introducing Lookout Labs’ Mobile Threat Tracker

Here at Lookout, we like to push the boundaries of mobile. That’s why we started “Lookout Labs,” an initiative that enables our team to quickly create and launch new mobile products. Many of you have already had the chance to find a lost phone with Plan B, or learn a little more about Carrier IQ with our detector app; both were concocted in Lookout Labs. Today, we’re excited to introduce our Mobile Threat Tracker: (available for download on the Android Market). This interactive app allows you to zoom through time and watch as thousands of sparks light up the globe; each spark represents Lookout blocking a threat to protect a real user. With the Lookout Mobile Threat Tracker, you can now see the threats that Lookout identifies and catches every day. This app should answer some of the questions we get all the time: “Are there really mobile threats?” “How many mobile threats are there?” “What are the most common mobile threats?”

In the Mobile Threat Tracker app, tap on the information icon to see the names of the top three trending threats. Tap on a name to learn more about that threat. This week’s top threat, RuPaidMarket, masquerades as a useful app but actually sends premium SMS messages without allowing you to opt out, or letting you know that you will be charged.

Behind the Mobile Threat Tracker

As an engineering intern at Lookout, I love reading the stories that Lookout users submit to our company. It’s pretty cool to hear how Lookout has saved the day for our users by finding their lost or stolen phone, backing up their precious data, or blocking them from downloading a malicious app. I thought it would be interesting to build an application showing the many threats that Lookout detects across the world, telling the story of these individual users at a macro level. This was the idea behind the Mobile Threat Tracker. The Mobile Threat Tracker shows a globe against a starry backdrop where each flying spark is a mobile threat we’ve detected and blocked. With a swipe of your finger, you can travel through time to see mobile threat activity, and learn more about the top threats Lookout protected against for the current week. This data is updated hourly so you can see mobile threats appear and disappear over time.

We hope you enjoy using the Mobile Threat Tracker to see the mobile threats Lookout protects against across the globe. Download the app from the Android Market today: Mobile Threat Tracker. We’d love to know your thoughts, too: feedback@lookout[dot]com. Be sure to stay tuned for more innovative projects from Lookout Labs!

Category:   Android  •  Lookout Labs  •  Lookout News  •  malware
January 18, 2012

Put It On My Tab: Lookout Offers In-App Billing For T-Mobile Customers

Good news T-Mobile customers! Now, rather than manually entering in credit card numbers to purchase Lookout Premium, T-Mobile customers* can simply charge Lookout Premium directly to their T-Mobile phone bill. We’re excited to offer this new service as a secure and convenient way for T-Mobile customers to pay for Lookout Premium.

In addition to all of Lookout’s free features, Premium offers comprehensive protection with:

  • Safe Browsing to scan every site you visit and every link you click in real-time, protecting you against the latest online threats.
  • Remote Lock and Wipe to secure and erase the data on your phone if it is lost or stolen.
  • Privacy Advisor to help you make smart choices to protect your privacy
  • Back up to securely back up and restore photos and call history, in addition to contacts.

Download Lookout Premium for $2.99/month or $29.99/year today!

* Limited to T-Mobile devices preloaded with Lookout

Category:   Lookout Premium  •  Safe Browsing  •  Security
January 17, 2012

CES 2012: Gadgets Coming Your Way Soon

What happens in Vegas, stays in Vegas— unless it’s the ground-breaking technology put on display at the annual Consumer Electronics Show, the largest trade show in the Americas. January 10th through the 13th, industry leaders commanded the CES stage to preview their innovative products with hopes of generating a buzz that’ll go far beyond the confines of Sin City. Here’s the Lookout lowdown on the week’s festivities:

CES 2012 was the year of sleek smartphones and cutting-edge tablets amid a sea of other high IQ gadgets. Yes, the devices we’ve come to rely on for staying in touch with the world and our friends have stepped up their game considerably. So keep your eyes open for these new toys— they’ll be coming to an electronics store near you soon enough.


  • Samsung Galaxy Note: Technically a smartphone, but with its 5.3 inch HD screen it could just as easily pass as a mini tablet. The device features up to 32GB of internal memory to go along with its remarkable screen resolution.
  • Sony Xperia S: Out of the five smartphones Sony presented, this one takes the cake, with a 12 megapixel rear-facing camera and Near Field Communication capabilities (the technology behind mobile payments).
  • Motorola Droid Razr Maxx: Remember the Motorola Razr flip phone that was all the rage way back when?  Just 9mm thick, the second coming makes its predecessor go dull. Already released by Verizon, the Razr Maxx is a fine choice if you’re in the market for a new smartphone.


  • Lenovo IdeaPad K2: Initially launching in China, the tablet features a finger print reader, dual speaker system and will run Android 4.0 Ice Cream Sandwich.
  • Acer Iconia Tab A700: With an incredibly bright and clear screen (1925 x 1200 pixels) and 9800 mAh battery, this is the perfect device to get you through long flights or road trips.
  • Asus MeMo: By delivering a quad-core Nvidia Tegra 3 processor into a 7-inch Android Ice Cream Sandwich tablet, the Asus device is a legitimate competitor to the Amazon Kindle Fire.

As progressive as these new devices may be, they’re not immune to the security risks of our mobile habitat. Setting passcodes, avoiding suspicious websites and downloading a mobile security product like Lookout are great ways to get peace of mind.

Who knows what’s in store for next year’s convention? My money’s on the world’s first flying smartphone.

Category:   Android
January 13, 2012

Carrier IQ Detection By the Numbers

Over the past few weeks the Carrier IQ PR firestorms has died down, and the dialog has evolved from initial speculation of a ‘rootkit’ to objective evaluations of what personal data is collected, and when. One of the most informative examples of the latter is Peter Eckersley’s December 13th overview at the EFF of Carrier IQ’s software architecture – recommended reading for more technically curious readers out there.

In developing Carrier IQ Detector, we discovered very similar results to those published by the EFF. The take-home message is that determining whether or not a device has an active instance of Carrier IQ is a very nuanced subject, with dependencies on software developed by Carrier IQ, handset manufacturers (also referred to as OEMs), mobile operators, and chipset manufacturers. After individually inspecting a number of handsets that cut across a variety of US carriers and OEMs, we decided to develop our detector to report positive detections of Carrier IQ if a single relevant file is found. This approach brings with it both an upside and downside:

  • Upside: It provides the broadest detection reach possible
  • Downside: Our detector registers the presence of Carrier IQ in some cases where the software is not active

After hearing from some of our customers that this specific nuance of the detector wasn’t clear, we’ve updated the app description to make sure this point is emphasized.

Category:   Lookout News  •  Privacy  •  Security
January 11, 2012

New Year’s Resolutions for Mobile Security

2011 was truly an incredible year for mobile technology. We witnessed revolutions greatly aided by new mobile technologies and social media. We saw mobile devices transform into digital wallets and watched smartphones become even smarter with the release of the iPhone 4S and Galaxy Nexus S. But as the capabilities of smartphones grow, we will all need to work together to foster a safer mobile environment. We’ve pulled together a few New Year’s resolutions for 2012. With these simple resolutions in mind, we look forward to a bright year ahead!

Let’s foster a constructive conversation about the mobile landscape.
Threat statistics can be informative, they provide mobile users valuable knowledge about fraud practices on the rise and commonly exploited security loopholes. However, sounding a constant alarm that threats have increased by hundreds of percentages without providing the right level of context isn’t extremely helpful. In the PC industry, security companies often promote the need for antivirus protection by creating anxiety among their users. Let’s not do the same in mobile security. Instead, we can provide data-driven guidance so users can understand and avoid specific risks. We owe it to our users and to other companies in the mobile industry to help them understand threats and what they can do to stay safe, not just to keep them on their toes. We can all be prepared without being scared.

Our resolution: We will regularly share threat information and security trends in a constructive manner, avoiding the unnecessary creation of FUD among mobile users.

Let’s stop stating that the App Store is a silver bullet to secure iOS and that the openness of Android makes it a magnet for malware. No single operating system is immune to security threats.
Both the Android and Apple operating systems are exposed to mobile threats; currently, we are just seeing different threats targeting each platform. Android’s open architecture and distribution system may offer a few more “on-ramps” to threats, but both the Android and Apple operating systems are exposed to web-based threats and software vulnerabilities. Both platforms are rapidly growing and both face distinct security challenges. It’s a potentially dangerous fallacy to believe that any mobile platform is impervious to threats. Whether by net or by harpoon, malware developers are out to catch anything they can.

Our resolution: We will continue to uncover and obstruct the largest security threats facing the mobile user, wherever they emerge.

Let’s work together to get security patches to users more quickly.
When preventable fraud is freely circulating among mobile users, time is money – often the mobile users’ money. As an industry, we need to accelerate our response to known threats, both in the creation and distribution of security measures. There is opportunity for improvement among device manufacturers, carriers, software providers and other members of the mobile ecosystem. Device manufacturers have taken many months to patch known bugs, and due to the complexity of the patching process, some Android devices don’t even receive patches that Google makes available. It’s not an easy problem to solve. But it’s important, especially as mobile threats grow in their ability to cause damage. Google has made strides in requiring 18-month release windows and Apple has added over-the-air updates to iOS 5, but there is still more we all can do to make sure that the device in your pocket or purse is as secure as possible.

Our resolution: We will work even more closely with carriers, device manufacturers and app distributors to inform them of specific threats and do all we can to facilitate rapid response to mobile users.

In the coming year, we hope to see these mobile industry resolutions become realities.

Category:   Android  •  Apple  •  Lookout News  •  Lookout Premium  •  Privacy  •  Security