February 16, 2017

ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar

ViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.

The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.

Using data collected from the Lookout global sensor network, the Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.

In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.

May 16, 2016

The house always wins: Takedown of a banking trojan in Google Play

Screen Shot 2016-04-25 at 8.03.58 AM

You always take your chances when you gamble, but with this Android malware, the odds are very much against you.

Lookout recently identified an app called “Black Jack Free” in the Google Play store, which turned out to be a variant of the malware family Acecard. The app has since been removed from the store. Because we previously issued coverage for this malware family months ago, all Lookout customers — individuals and enterprises — are safe. Non-Lookout customers who downloaded Black Jack Free ( should immediately remove the app from their device and change the passwords to their sensitive accounts. This malware also attempts to download and install a secondary app called Play Store Update (cosmetiq.fl). This app should also be removed.

November 17, 2015

InstaAgent: What it is and what you can do about it

Recently, news broke about a concerning app called InstaAgent. The app connects to the victim’s Instagram account and sends the user’s login credentials unencrypted to its servers.

Here’s what we know about the threat.

November 4, 2015

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that.

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.

October 14, 2015

Breaking open South Korea’s government-approved children-targeted surveillanceware

In April of this year, South Korea began mandating that government-approved monitoring software be installed on smartphones used by anyone 19 years of age or younger. Unfortunately, one of the most widely-used, government-approved versions of this “monitoring software” actually left children’s data wide open to prying eyes.

Earlier this year, I participated in the Citizen Lab Summer Institute – a series of research workshops hosted in Toronto by Citizen Lab – and had the chance to collaborate with several researchers on this project that took a closer look at parental monitoring software used in South Korea.

September 20, 2015

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

XcodeGhost is the latest example that iOS devices, indeed any device, can be subject to attack and that even a highly-curated app store can contain malicious apps.

Lookout Mobile Threat Protection customers are already protected from this malware and do not need to take any further action. For customers using our consumer mobile security solution more information is available here.

XcodeGhost is malicious code inserted into iOS apps using a tampered version of Apple’s Xcode that steals data from iOS devices. The malicious code stealthily made its way into over a number of applications in the Apple App Store without the developers of those apps knowing. Indeed, it’s the largest attack on the App Store we’ve seen to date.

July 1, 2015

Japanese malware abuses service helping the disabled use smartphones; spies on victims and steals LINE data

The accessibility service in Android helps give the disabled and individuals with restricted access to their phones alternative ways to interact with their mobile devices. It also has unintentionally opened the door for Japanese surveillanceware to steal data from LINE, the most popular messaging service in Japan.

After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat.

March 18, 2015

13 more pieces of adware slip into the Google Play store


Unfortunately, even official app stores’ app-vetting systems are not perfect. Lookout has found 13 instances, or apps, with adware in Google Play, some of which pretend to be Facebook and have malware-like characteristics making it difficult to remove from the phone.

We alerted Google to these 13 instances and the company quickly removed them from the store. All Lookout users are protected against this threat.

January 6, 2015

The privacy tool that wasn’t: SocialPath malware pretends to protect your data, then steals it


Today, privacy tools are of increased importance. They help people understand what kind of data they’re sharing and can help keep your personal information personal.

So it’s particularly egregious when a piece of malware pretends to protect a person’s privacy and, instead, steals their data.

December 4, 2014

DeathRing: Pre-loaded malware hits smartphones for the second time in 2014

When you walk out of a retailer with a shiny new phone, you trust that it’s clean and safe to use. But this might not always be the case, as evidenced by the latest pre-loaded malware Lookout identified called DeathRing.

DeathRing is a Chinese Trojan that is pre-installed on a number of smartphones most popular in Asian and African countries. Detection volumes are moderate, though we consider this a concerning threat given its pre-loaded nature and the fact that we are actively seeing detections of it around the world.