April 30, 2012

New Anti-Malware Features Offer More Points of Protection

Today we’re excited to tell you about two new features in Lookout for Android: File System Monitoring and Install Monitoring. These free features provide added protection from malware and spyware, especially for people who like to download apps from a variety of different sources. Like Lookout’s core security functionality, these new features are powered by Lookout’s Mobile Threat Network.

If you download apps from alternative markets or other sources such as discussion forums (commonly referred to as “side-loading” apps), File System Monitoring and Install Monitoring add an extra level of protection for you. While Lookout already protects users from these types of applications by scanning them immediately upon install, these two new features offer unique ways to detect threats before they are installed on a device.

The ability to download apps from a variety of sources is considered one of the unique strengths of the Android platform. However, we generally advise people to use caution when “side-loading,” or downloading an app outside of the official Android Market (aka Google Play) in order to minimize the chance of encountering malware. We know a lot of our users like to explore everything on Android, even if that means downloading apps from a source you’ve never even heard of before. For these cases, File System Monitoring and Install Monitoring are here to protect you.

File System Monitoring

File System Monitoring actively watches your SD card for file changes. When a new app is downloaded to your SD card, but not yet installed, File System Monitoring will alert you in real time if it’s malware. This active monitoring is a much better watchdog for your SD card than a scheduled file system scan, and we’ve designed it in a way that won’t impact your battery life. A file system scan scheduled for Tuesday won’t tell you about the malware you downloaded on Wednesday for six days!

Power users, take note! Because File System Monitoring relies on its ability to ‘watch’ the SD card for changes, it works great for most methods of side-loading, such as when you download an app from the web or from email directly on your mobile device. In cases where you un-mount your SD card to transfer apps manually, File System Monitoring won’t be able to scan any new apps you may transfer. This is where Install Monitoring comes in…

Install Monitoring

Lookout for Android is the first security app to feature Install Monitoring, giving you the option to scan apps at the beginning of a side-load app installation process. When you tap on an .apk package to install it, Install Monitoring will prompt you to optionally scan the app before installing. If an app checks out as clean, installation proceeds as normal without any inconvenience to you. You can even set this as a default behavior so that Lookout will automatically conduct scans on all future side-load installs!

Note that when you get apps from Google Play, they’re automatically downloaded and installed on your device, so Lookout’s existing security scanning is still an essential facet of mobile protection for users.

If you are an existing Lookout Free or Lookout Premium user, install the latest update of Lookout for Android to access these features. You can turn off automatic File System Monitoring in Settings>Security in the Lookout app. You’ll also be able to set preferences for Install Monitoring the first time you install a side-loaded app through Android’s standard intent selection dialog, and thereafter through the ‘Launch By Default’ section of Lookout’s App info page in system settings.

We think that these new features really add an important new level of security for power users – they’re like monster tires for off-roading on your Android! Let us know what you think!

Category:   Android  •  Lookout News  •  malware  •  New Features  •  Security
April 27, 2012

The Man Who Hacked Hollywood: It’s as Simple as a Password

How hard is it to hack a celeb’s phone and email? According to Chris Chaney, who’s earned the moniker “The Man Who Hacked Hollywood,” it’s a cake walk. Chaney was arrested and plead guilty to identity theft, wire tapping and unauthorized access to a computer after hacking into the email accounts and cell phones of celebrities, including Scarlett Johansson, Mila Kunis and Christina Aguilera. In all, he had access to more than fifty celebrities.

Do not be mistaken, Chaney is no computer wunderkind. He doesn’t have a technical or computer science background. Simply put by Chaney himself— he was unemployed, with a lot of time on his hands. He reveals how he gained access to celeb’s emails and mobile devices in this month’s GQ:

Finding a working e-mail address was a simple process of trial and error. In a Word document, he made a list of random celebrities and, one by one, entered them into Gmail until, days later, an address was finally accepted. (In the blur of celebs to follow, he wouldn’t be able to recall his first.) Unlocking the account, he knew, would be more difficult. To retrieve a lost password, sites often ask subscribers so-called challenge questions: What’s your mother’s maiden name? What’s your place of birth? Or, in the case of this celebrity, what’s your pet’s name? It was widely known that the hacker who broke into Paris Hilton’s phone had done it with her Chihuahua’s name, Tinkerbell. If her dog’s name was easily available online, so too, Chaney figured, were other clues.

Lesson #1: Set-up strong passwords. Once a hacker figures out your email or phone’s password, they’ve got the keys to your kingdom. You’d be surprised how many people don’t have a password, or a very weak one.  And never use the same password for multiple sites.

Lesson # 2: Don’t choose predictable security questions.  Most of your personal information can be found online, including your mother’s maiden name. Select the more challenging security questions that can’t be found online.

Lesson #3: Don’t hack. Chaney plead guilty on nine counts, including unauthorized access to a computer and wiretapping, and faces sixty years in prison and $2.25 million in fines.

Category:   Missing Device
April 27, 2012

Security Alert: Gamex Trojan Hides in Root-Required Apps – Tricking Users into Downloads

In the past week Lookout has identified Gamex, a new Android Trojan concealed in repackaged versions of legitimate applications that require root access to the phone. Gamex functionality is split across three components that cooperate to infect the device, communicate with its host, and silently install applications on the device. The Trojan was first discovered on alternative markets via Lookout’s Mobile Threat Network and so far the overall user impact is currently estimated as low. The threat has been detected and blocked—all Lookout users are protected.

How it works

Gamex piggybacks on repackaged versions of applications that require root access, such as file managers, ad blockers, and device performance boosters. When a user grants root access to the application, Gamex abuses this privilege to install another application to the device’s /system partition to act as a privileged installation service. A third component communicates with a remote server, downloads apps, and triggeres their installation.  Gamex also reports the installation of these applications, along with the IMEI and IMSI, to a remote server. We believe that this information is used to operate and/or report installations to a malicious affiliate app promotion network.

If you’re interested in the more technical details of how Gamex works, continue reading beyond our tips.

Here are some tips to keep your phone secure, against constellation malware such as Gamex

  • Only download apps from trusted sources, such as reputable app stores and download sites. Read through the permissions, and remember to look at the developer name, reviews and star ratings.
  • Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include unusual text messages, strange charges to your phone bill, and suddenly decreased battery life.
  • Download a mobile security app for your phone that scans every app you download. For extra protection, make sure your security app can also warn you when navigating to unsafe websites.
  • Make sure to download firmware updates as soon as they are available for your device.

Gamex Technical Summary

App Dropper

In each sample we’ve analyzed to-date, the dropper application has been a re-packaged version of a legitimate application that requires root access – including file managers, ad blockers, and performance boosters. When this dropper app is launched, the injected code requests root access and, if granted, copies an embedded package – com.android.setting – to /system/app/ComAndroidSetting.apk. This package is embedded in the repackaged app as assets/logos.png and trivially obfuscated.


This payload contains a broadcast receiver for a custom action intent. The intent is used to activate the payload and to interact with it as a privileged installation service. When starting, this payload reports IMEI, IMSI and what we interpret as a “campaign id” to its C&C as <url>/inputex/index.php?s=/Interface/keinter/a1/<IMEI>/a2/<IMSI>/a3/<CMP_PID>. If not already installed, it installs a third payload – com.android.update – embedded as assets/icon.png and, again, encoded by trivial xor.


This payload interacts with the C&C service and processes app installation requests, delegating installation to com.android.setting. Its functionality is triggered by a combination of timers and observation of screen state changes.

Screen State Broadcast Receiver

com.android.update receives SCREEN_ON and SCREEN_OFF broadcasts. When the device screen is turned off, all installed apps are started and communicate with <url>/inputex/index.php?s=/Interface/neiinter/a1/<IMEI>/nam/<app>. If any apps  are started during this process, the device’s home screen is launched when SCREEN_ON occurs.

Subsequent App Installs

  • Handler 1 – Every 10 minutes, a call is made to a URL specified in com.android.update’s assets/logo.png. This call fetches a page of roughly 10 apps and if they are not currently installed inserts them into a database to be downloaded.
  • Handler 2 – A separate handler will download an app that hasn’t yet been downloaded, but this is conditional on device network state – occurring every 60 seconds on WiFi or 30 minutes otherwise.
  • Handler 3 – A third handler checks for downloaded apps every 60 seconds. If an application is installed, this handler will sleep for 4 hours before installing a subsequent app.  Installation is delegated to com.android.setting by a broadcast intent.
Category:   Lookout News  •  malware  •  Security
April 24, 2012

Lookout! 20 Million Strong and Growing

Drum roll please…today, we’re very excited to announce that Lookout has more than 20 million users around the globe! Since launching in 2007, we’ve been hard at work developing a stellar mobile security app and expanding our reach internationally. We’re proud of the achievements we’ve made along the way, but we’re most thrilled by the fact that we’ve been able to keep the smartphone experience safe for our users. Now more than 20 million strong, and we’re growing by a million more each month!

Over the years, we’ve received wonderful feedback from our customers. Everyday, Lookout locates an average of 25,000 phones, backs up hundreds of thousands of photos, and blocks users from clicking on thousands of bad links and apps. It inspires us to know that we’re helping keep so many mobile devices safe and we’d like to extend a big THANK YOU to all of our users — your feedback and support enables us to offer such a great product!

Be sure to stay tuned…50 million users, here we come!

Category:   Android  •  Lookout News  •  Security
April 23, 2012

Lookout Expands Its Presence in Europe With Deutsche Telekom Partnership

Lookout is teaming up with Deutsche Telekom, one of the largest mobile carriers in Europe, to provide Deutsche Telekom’s millions of customers with the free Lookout app. With Lookout, there are no limits to what Deutsche Telekom customers will be able to do with their smartphones. We’ll be helping Deutsche Telecom’s customers manage their security, privacy and we might even experiment on building new apps together that increase device health.

This is an exciting milestone for Lookout. Deutsche Telekom has a reputation for cutting-edge innovation and delivering more value to its customers. With both companies laser-focused on developing the best mobile protection, you know to stay tuned for exciting new announcements and updates.

The partnership with Deutsche Telekom comes on the heels of Lookout’s recent announcement with Deutsche Telekom’s sister company, T-Mobile, where we announced custom ring tones available to all Lookout users with T-Mobile devices.  This is just another step in the right direction – Lookout is getting closer and closer to our goal of being in the hands (err on mobile devices) of individuals worldwide!

Category:   Lookout News  •  Security
April 20, 2012

Simplified Chinese and Polish Versions Now Available for Lookout for Android

At Lookout, we love new languages almost as much as we love keeping your phone safe from the latest malware threats. Today, we’re excited to add Simplified Chinese and Polish to our list of localized versions of Lookout for Android.

In case you’re keeping score at home, there are now seven non-English languages available for Lookout for Android, and seven is a pretty lucky number! (The other localized versions include German, French, Japanese, Spanish and Brazilian Portuguese.)

If your Android’s system is set to one of these languages, when you download or update Lookout from the Google Play Store (formerly known as Android Market), the app will automatically appear translated. And you’ll still have access to the same great free antivirus security, find my phone and backup features. Lookout Premium is also available for the most complete protection for US $2.99/month or US$29.99/year.

Stay tuned as Lookout learns to say, “Hello, World” in more languages!

Category:   Android  •  Lookout News  •  Privacy  •  Security
April 18, 2012

Congratulations, Kevin Babineau, “Lookout for Your Friends” Contest Winner

Friends don’t let friends use a phone without mobile security! A few weeks ago, we asked our Facebook fans to help us spread the word about why mobile security is important. Many participated, and Kevin Babineau was the lucky Lookouter to win a Samsung Galaxy Tablet!

Occupation: Student and part-time sales clerk

Location: Nova Scotia, Canada

Lookout User Since: October 2011

Favorite Lookout Features: Scheduled Scanning and Scream

Why Kevin Loves Lookout: “I have recommended Lookout to all my friends with smartphones for a few reasons. It’s user friendly, small in size, has low battery consumption and offers top-notch piece of mind. You can watch it actively scan anything you download in your notification bar or home-screen widget. It’s also perfect for those of us who tend to misplace our phones with Scream and Locate using GPS. Oh, and keeping a backup of your phone contacts comes in handy for countless reasons. After discovering Lookout, it has become a must on all my devices. It’s the first app downloaded and the only app that never gets removed. It offers a safe piece of mind without getting in the way like many other apps that I have tried. In the end, Lookout delivers, plain and simple.”

Are you a Lookout Facebook fan or Lookout Twitter follower? Keep up with Lookout for a chance to win awesome prizes like this every month!

Category:   Android  •  Lookout News  •  Security
April 16, 2012

Lookout’s take on Spyera (aka TigerBot)

Earlier this month, security researchers published a report about a new form of Android malware that is controlled via SMS messages. The report states that the malware has the ability to record phone calls, upload a device’s GPS location, reboot a device, and perform a variety of other commands. Our research team examined samples of the malware dubbed “TigerBot” and determined that the app in question is not malware, but instead is a commercially available spyware application termed Spyera.

Similar to other well known targeted mobile spyware apps such as Flexispy and Mobistealth, Spyera has the ability to conceal itself as a nonthreatening application, is remotely controllable via SMS, is capable of sending sensitive information from a device to a remote target, and can be used to track the location or behavior of a target device. However, our research found no evidence to support claims that Spyera is being distributed as a Remote Access Trojan or is operated as a botnet.

While targeted surveillance applications do constitute a significant privacy risk to smartphone users, we believe it is incorrect to position such an app as a “bot.” It’s important to provide the right level of context when reporting on mobile threats so users can clearly understand and avoid specific risks. As such, Lookout currently classifies Spyera as ‘Surveillanceware.’

Category:   Android  •  Security
April 11, 2012

The Continuing Saga of Fake App Toll Fraud

The Threat

In the first quarter of 2012, we’ve continued to see a growing trend in premium SMS mobile malware targeted at European markets. Many of these families of malware clearly contain shared ancestry in their construction and are promoted in a way that is similar to affiliate marketing promotion of legitimate apps. These families include RuPaidMarket, DepositMobi, OpFake and other associated fraudulent installer applications.

In a continuation of this trend, Lookout has discovered in the past week two significant new variations on this theme. One appears to be an entirely new construction, and one appears to be a significant evolution (variant) of the fake installer apps. While their code bases clearly differ, they are related by distribution and by significant overlap in targeted short codes.

If you are currently a Lookout user, you are already protected and do not need to take any additional action.

How it works

Category:   Lookout News  •  malware  •  Security
April 10, 2012

Mobile Crime Watch: Making It Harder For The Bad Guys

Phone theft is one of the fastest growing crimes in the U.S., law-enforcement officials nationwide say. Thieves see an easy payday in stealing and then hawking your phone on sites like Craigslist, eBay and Amazon.

In an effort to help curb this epidemic, the nation’s major wireless providers: Verizon, AT&T, Sprint and T-Mobile recently announced plans to work with the U.S. government to build a central database of stolen cellphones. The database will track phones that are reported as lost or stolen and deny them voice and data service. The idea is to reduce crime by making it difficult for thieves to actually use a stolen phone, reducing resale value.

It’s great to see the industry rallying together to crack down on mobile crime. Lucky for you, and unlucky for that thief—Lookout’s got you covered! Protecting your smartphone from loss or theft starts with simply downloading an app.

Here are tips to safeguard yourself in the event that your phone is stolen:

Category:   Android  •  Google Play  •  Lookout News  •  Lookout Premium  •  Missing Device  •  Privacy  •  Security