On March 25th 2013, the email account of a Tibetan activist was hacked and used to spearphish all the contacts in his address book. The spearphishing attack was a clever attempt to fool the targets into believing they’d received an update about a conference for Chinese, Tibetan, Mongolian, and Turkic activists run by “The World Uyghur Congress” (WUC) that took place from March 11-13, 2013. The email contained a malicious attachment that claimed to be a followup letter from the WUC but was, in reality, a malicious android APK file called “WC’s Conference.apk” containing a new strain of malware called Chuli.
While this kind of targeted attack against mobile devices is uncommon, it is not the first of its kind. Other strains of malware built for this type of targeted attack have been seen in the past – FinSpy/FinFisher is one example of Android malware designed for espionage, a trend we’ve been investigating.
How it works Recent versions of Android (3.0+) prevent applications from automatically launching themselves. To get around this, Chuli was sent out cleverly disguised as ‘Conference’ materials and also calls itself ‘Conference’ once installed. All of this is an elaborate attempt to socially engineer a user into executing the app. Once launched, Chuli displays a message designed to look like it was written by a WUC official to further the illusion that it is a legitimate message about the WUC conference while silently uploading all SMS, contacts and call history found in the device to a remote command and control (C&C) server.
Despite the fact that the C&C is hosted in the U.S., the server’s locale is set to Chinese and the Internet domains that point to it were registered on March 8th, 2013 by a Chinese registrant, (“Peng Jia” based in Beijing, China, on behalf of “Shanghai Meicheng Technology Information Development Co., Ltd.). While this tells us that the attackers are highly likely to be Chinese in origin, it does not necessarily implicate the Chinese government.
The message displayed once the malware is executed is read from a text file “assets/m.txt”, suggesting that this malware was designed so that the message could be easily changed for future spearphishing campaigns that might piggyback on a different event or news story.
Construction & Functionality The malware is comprised of two main services: “PhoneService” and “AlarmService.” PhoneService is the activation service that is started when the application is launched. To ensure the service is successfully started, it hooks itself into the Android OS and sets a trigger that launches the service whenever any of the following events occur:
The device wakes up
Charging state changes
Devices data connection state changes
Packages are added
Screen is turned on
Signal strength changes
Data activity takes place
PhoneService has three main jobs. The first is to create a unique identifier for the phone which it does using the UNIX timestamp. Then, it registers the device with the C&C server and finally, it starts the AlarmService service.
The AlarmService is the malware’s espionage arm. As soon as it is activated, it performs a number of steps:
Hooks into the Android SMS service so that any incoming messages are forwarded to the C&C server
Runs SMS and sends the SMS history to the C&C server
Requests location updates every 10 seconds or 20 meters and sends that location to the C&C server
Runs “contact” and sends device model, Android model and release number as well as all phone and SIM contacts to the C&C server
Runs “other” and sends the call history to the C&C server
We took a closer look at the the C&C server, a Windows server running IIS with a hastily created front page which gives further impression that this campaign was thrown together in a hurry with limited attention to fine detail.
Interestingly, the C&C server also publishes the “unique device identifier” for each compromised device as additional links. These links bring up a control panel for the relevant device that represents significant functionality that we have not yet observed in the malicious samples themselves, including the ability to remotely and silently install additional software. There was no sign that this functionality was used in this implementation, which may suggest that a different piece of malware was repurposed for this campaign.
Lookout’s take Considering the nature of the attack and its targets, it would be easy to assume that this attack was the work of a specific nation-state. Our analysis shows several indications that this is not the case. There are a number of examples of poor programming practice, the application didn’t have an icon and it was signed with a test signeer. Overall, the execution was less sophisticated than a number of existing pieces of malware, for example Geinimi . All of this evidence contradicts the claim that this was the work of a large nation-state attack.
This is another example of a targeted social engineering attack that incorporates Android malware as its method to take control of a vulnerable device for surveillance purposes. This is further evidence of a growing trend to use all available vectors for spearphishing attacks instead of just going after PC-based targets.
Who is affected? Chuli.A is a highly targeted attack and only a specific group of devices affected. This means the risk of infection is very low.
All Lookout users are protected from this threat and we have observed no infections detected across our user base.
The Lookout team worked to take down the C&C server, which was successfully taken offline. This renders the existing malware ineffective unless a fresh spear-phishing attack can be launched with a new C&C server hardcoded into the package.
Taking the C&C server offline also protects the privacy of any remaining users with infected devices.
Discovery Chuli.A was first discovered by Kaspersky
Starting today, our English speaking Android and iOS users will get a redesigned web experience when they login to Lookout.com!
The number one reason people login to Lookout.com is to find their missing device. That’s why we’ve redesigned our desktop web app to give our users the information they need to find and manage their device quickly.
The first thing you’ll see when you log in is a simplified dashboard that quickly updates you on your latest security activity on your devices. We’ve also updated the layout to better support managing device screens of all sizes, moving the most important content and updates front and center.
Back in May 2012 we first reported on NotCompatible, a remote proxy threat distributed by hacked websites. Once installed, the NotCompatible malware acts as a proxy, thereby allowing its owner to transmit and receive network data through the infected device. The original threat marked the first time that hacked websites were used to specifically target and infect mobile devices. Since the initial detection, we’ve continued to actively monitor NotCompatible, and it showed relatively low activity levels with occasional moderate spikes. That’s all changed over the past few days, as we’ve seen a sudden surge in detection data across the Mobile Threat Network – peaking at almost 20,000 detections per day between Sunday and Monday this past weekend.
The technical capabilities and construction of the threat haven’t changed significantly since last May. Interestingly, in this resurgence, the distribution strategy has changed: it’s now being spread primarily via spam from hacked email accounts.
Figure 1. A sample spam message distributing NotCompatible
The original distribution campaigns for NotCompatible specifically targeted Android users by only triggering a download for browsers that reported a user-agent header that contains the word ‘Android.’ The spam links in question perform a similar targeting tactic.
Clicking a spammed link in a browser on Windows, iOS, and OSX simply directs to a fake Fox News weight loss article, as shown below.
Figure 2. Fake weight loss site that non-Android users are redirected to
When clicking the link on an Android device, the browser is redirected to an “Android Security site” for an update. Depending on the user’s Android OS Version and browser, they may be prompted about the download. Many stock browsers will transparently trigger a download to the device /Downloads folder whereas Chrome displays a confirmation dialog.
Figure 3. Fake Android Security site serving NotCompatible samples
Lookout user’s have been protected by the NotCompatible threat since May 2012, so even if a drive by download like this is successfully downloaded, Lookout’s File System Monitoring feature will detect the threat as soon as the download is complete.
Figure 4. Lookout Filesystem Monitoring actively protecting against downloaded malware
In fact, we’ve seen that this is the case for the overwhelming majority of our detections during the recent spike in activity, with only 2% of detections coming from actual installations.
How to Stay Safe
Avoid opening spam email. Unexpected emails from long lost friends with generic titles such as ‘hot news’ or ‘Last all Night’ or ‘You Won $1000”are normally a good indication that an email is spam.
Use common sense when clicking on links. If it’s not a website name that you recognize, err on the side of caution. Be especially careful when receiving links that have been ‘shortened’ (e.g. bit.ly/ABCD), as it adds an additional layer of obfuscation that is difficult to evaluate.
If your mobile device unexpectedly starts downloading a file that you weren’t expecting, don’t click on it – delete it!
At Lookout, we know when it comes to finding your phone, every second counts. That’s why we’re proud to announce the availability of the Lookout Chrome App. This must-have app allows you to access your Lookout.com account with one click.
With the Lookout Chrome App, you can log into your Lookout account directly from your browser window to:
Locate your device on a Google Map and make it sound an alarm so you can find it
View your phone or tablet’s last known location before it ran out of battery
See your backed-up contacts in case you need to access a specific phone number
And for Premium users, remotely lock or wipe your device if you think your phone might be in the wrong hands, add a custom message to help get your phone back faster, and view your backed up photos!
Add Lookout to your Chrome browser today by downloading from the Chrome Web Store.
The Lookout Chrome App is a product of Lookout Labs, an initiative to push the boundaries of mobile technology to make life easier for users like you. Labs products are experimental in nature, so let us know what you think!
Locate: This feature allows you to pinpoint your missing phone on a google map from a PC or another smartphone. Simply log in to your Lookout account to find your phone’s location.
Scream: In the case that you misplaced your phone under the couch cushion or somewhere in your vicinity, the Lookout app will sound a loud alarm to help you track down where your phone ran off to.
Signal Flare: One of the top reasons people can’t find their missing phone is because of a dead battery. To help increase your chances of finding a lost phone, Lookout automatically saves your device’s last known location to your Lookout account when your battery is teetering on dying.
Lock Cam: Our newest feature provides you with just one more way to help you retrieve a lost or stolen phone. Lock Cam sends an email with the picture and location of anyone who enters an incorrect password three times into your device’s lock screen.
A number of celebrities and political figures have reportedly become the latest victims of targeted hacking attacks. Since the news broke yesterday, the list of high profile victims has escalated to 12, with attackers exposing their private and financial information onto an undisclosed website. Among these prominent figures are Michelle Obama, Hillary Clinton, Joe Biden, music artists Jay-Z and Beyonce, Kim Kardashian and Mel Gibson.
The information that was publicly displayed includes social security numbers, banking information, mortgage amounts, credit card details and car loans. The now, undisclosed site was still public early this morning and had more than 147,000 visitors, according to New York Daily News.
According to CNBC, the Secret Service has confirmed that it is currently investigating the hacking attacks.
There is still speculation that the attacks are a hoax, given the current inability to locate the website where the information was first disseminated.
What can people do to stay safe?
As the world becomes more connected, security should be a priority at all levels where personal information can be accessed, whether on a website, app or forum. Be aware and cautious about when, where and what information you make available on the Internet, and do a quick “spring cleaning” to ensure that you approve of the privacy settings on your various accounts.
Be proactive about security and download a security app that alerts you when your mobile phone may have been compromised.
A vulnerability that bypasses the Samsung Galaxy S3 lock screen was discovered last week. This vulnerability allows full access to the device regardless of the strength of the device’s password. To help minimize the risk to users, Lookout released an update today to its Lookout Mobile Security Android app on Google Play that protects owners of the Samsung Galaxy S3, Note II and S3 Mini from this vulnerability. Lookout users are also protected if the phone is lost or stolen when using ‘Lock’ from Lookout’s web app. An official device patch is expected from Samsung shortly, and we recommend that users update their devices as soon as the patch is released.
The Samsung Galaxy exploit allows the lock screen to be bypassed in a series of five steps that can be triggered by canceling an emergency call, accessing emergency contacts and quick reflexes with the home and power button.
To mitigate the risk, when Lookout detects the emergency contact dialer has been backgrounded, we preemptively bring it back to the forefront so that the rest of the phone cannot be accessed.
Affected devices appear to be the Samsung Galaxy S3 models and the Samsung Note II. Lookout Galaxy S3 Mini users are also protected.
How to Stay Safe
Download the Lookout Mobile Security app from Google Play or update the app to version 8.10.2.
Protect your phone like you protect your wallet. Keep your phone close to your person and avoid leaving it out it open places.
Watch out for a Samsung Galaxy S3, Note II and S3 Mini system update and install it as soon as it is released.
Can you believe it’s almost been a year since Breach Week? That’s when LinkedIn, eHarmony, and Last.fm were victims of hacks that compromised passwords, sending millions of users into password changing frenzies. February 2013, or what we’re dubbing as Hackuary, hasn’t been kind to some of the world’s most recognizable companies either. The New York Times, Facebook, Apple, Microsoft, and Twitter had security issues that PC antivirus software could not protect against. Here are the details on the hacks and how you can stay protected: