April 3, 2017

Pegasus for Android: the other side of the story emerges

Today, Lookout and Google are releasing research into the Android version of one of the most sophisticated and targeted mobile attacks we’ve seen in the wild: Pegasus.

Read the full technical analysis here

A “cyber arms dealer” named NSO Group developed the Pegasus malware, which jailbreaks or roots target devices to surveil specific targets. Last summer, after being tipped off by a political dissident in the UAE, Citizen Lab brought Lookout in to further investigate Pegasus. In August 2016, Lookout, with Citizen Lab, published research about the discovery of the iOS version of this threat. What we discovered was a serious mobile spyware operation that has since been reportedly used to target Mexican activists, according to The New York Times.

Google calls this threat Chrysaor, the brother of Pegasus. For simplicity, we’ll reference this as Pegasus for Android. Names aside, the threat is clear: NSO Group has sophisticated mobile spyware capabilities across a number of operating systems that are actively being used to target individuals.

Lookout enterprise and personal customers are protected from this threat.

March 27, 2017

Mobile Safari scareware campaign thwarted

Today, Apple released an update to iOS (10.3) that changed how Mobile Safari handles JavaScript pop-ups, which Lookout discovered scammers using to execute a scareware campaign.

The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.

Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.

February 16, 2017

ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar

ViperRAT is an active, advanced persistent threat (APT) that sophisticated threat actors are actively using to target and spy on the Israeli Defense Force.

The threat actors behind the ViperRAT surveillanceware collect a significant amount of sensitive information off of the device, and seem most interested in exfiltrating images and audio content. The attackers are also hijacking the device camera to take pictures.

Using data collected from the Lookout global sensor network, the Lookout research team was able to gain unique visibility into the ViperRAT malware, including 11 new, unreported applications. We also discovered and analyzed live, misconfigured malicious command and control servers (C2), from which we were able to identify how the attacker gets new, infected apps to secretly install and the types of activities they are monitoring. In addition, we uncovered the IMEIs of the targeted individuals (IMEIs will not be shared publicly for the privacy and safety of the victims) as well as the types of exfiltrated content.

In aggregate, the type of information stolen could let an attacker know where a person is, with whom they are associated (including contacts’ profile photos), the messages they are sending, the websites they visit and search history, screenshots that reveal data from other apps on the device, the conversations they have in the presence of the device, and a myriad of images including anything at which device’s camera is pointed.

May 16, 2016

The house always wins: Takedown of a banking trojan in Google Play

Screen Shot 2016-04-25 at 8.03.58 AM

You always take your chances when you gamble, but with this Android malware, the odds are very much against you.

Lookout recently identified an app called “Black Jack Free” in the Google Play store, which turned out to be a variant of the malware family Acecard. The app has since been removed from the store. Because we previously issued coverage for this malware family months ago, all Lookout customers — individuals and enterprises — are safe. Non-Lookout customers who downloaded Black Jack Free ( should immediately remove the app from their device and change the passwords to their sensitive accounts. This malware also attempts to download and install a secondary app called Play Store Update (cosmetiq.fl). This app should also be removed.

November 17, 2015

InstaAgent: What it is and what you can do about it

Recently, news broke about a concerning app called InstaAgent. The app connects to the victim’s Instagram account and sends the user’s login credentials unencrypted to its servers.

Here’s what we know about the threat.

November 4, 2015

Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire

Auto-rooting adware is a worrying development in the Android ecosystem in which malware roots the device automatically after the user installs it, embeds itself as a system application, and becomes nearly impossible to remove. Adware, which has traditionally been used to aggressively push ads, is now becoming trojanized and sophisticated. This is a new trend for adware and an alarming one at that.

Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.

October 14, 2015

Breaking open South Korea’s government-approved children-targeted surveillanceware

In April of this year, South Korea began mandating that government-approved monitoring software be installed on smartphones used by anyone 19 years of age or younger. Unfortunately, one of the most widely-used, government-approved versions of this “monitoring software” actually left children’s data wide open to prying eyes.

Earlier this year, I participated in the Citizen Lab Summer Institute – a series of research workshops hosted in Toronto by Citizen Lab – and had the chance to collaborate with several researchers on this project that took a closer look at parental monitoring software used in South Korea.

September 20, 2015

Hundreds of millions of devices potentially affected by first major iOS malware outbreak

XcodeGhost is the latest example that iOS devices, indeed any device, can be subject to attack and that even a highly-curated app store can contain malicious apps.

Lookout Mobile Threat Protection customers are already protected from this malware and do not need to take any further action. For customers using our consumer mobile security solution more information is available here.

XcodeGhost is malicious code inserted into iOS apps using a tampered version of Apple’s Xcode that steals data from iOS devices. The malicious code stealthily made its way into over a number of applications in the Apple App Store without the developers of those apps knowing. Indeed, it’s the largest attack on the App Store we’ve seen to date.

July 1, 2015

Japanese malware abuses service helping the disabled use smartphones; spies on victims and steals LINE data

The accessibility service in Android helps give the disabled and individuals with restricted access to their phones alternative ways to interact with their mobile devices. It also has unintentionally opened the door for Japanese surveillanceware to steal data from LINE, the most popular messaging service in Japan.

After discovering this threat, Lookout notified both LINE and Google. None of LINE’s systems were breached. All Lookout users are protected against this threat.

March 18, 2015

13 more pieces of adware slip into the Google Play store


Unfortunately, even official app stores’ app-vetting systems are not perfect. Lookout has found 13 instances, or apps, with adware in Google Play, some of which pretend to be Facebook and have malware-like characteristics making it difficult to remove from the phone.

We alerted Google to these 13 instances and the company quickly removed them from the store. All Lookout users are protected against this threat.