December 1, 2016

Ghost Push and Gooligan: One and the same

You may have seen headlines about a new family of malware called “Gooligan.” This is not actually a net new malware family, but rather it’s a variant of the family “Ghost Push,” a threat first discovered in 2014. Lookout customers have been protected against this threat since then.

Google released a blog post on the threat called, “The fight against Ghost Push continues.” In it, the company reveals that is has been tracking the malware and acknowledges a problem anyone, especially enterprises, should be watching for: malware evolves and becomes more sophisticated over time.

November 22, 2016

Business travel: The mobile risks to your corporate data

The holidays bring a season heavy with travel plans. That might include your employees.

Lookout Chief Product Officer Santosh Krishnan recently published an article in Help Net Security that outlines the potential mobile risks to your corporate data while your employees are on the go.

Krishnan specifically addresses targeted attacks, such as the Pegasus malware; network attacks, such as man-in-the-middle attacks; the rare, but concerning “juice-jacking” attack, and other things to consider.

He also discusses how to keep your corporate data safe. The bottom line? Make sure you can remotely:

  • Detect and remediate mobile malware
  • Detect and remediate compromised operating systems
  • Detect and remediate network-based man-in-the-middle attacks.

Read it on Help Net Security today and share with any of your employees who may soon be headed out of town.

November 2, 2016

Trident vulnerabilities: All the technical details in one place

Today, Lookout is releasing the technical details behind “Trident,” a series of iOS vulnerabilities that allow an attacker to remotely jailbreak a target user’s device and install spyware.

In August, Lookout, in conjunction with Citizen Lab, discovered “Pegasus,” a sophisticated piece of mobile spyware used by nation state actors to surveil high-value targets. The so-called “cyber arms dealer,” NSO Group created the spyware, which, at the time, relied on the three Trident vulnerabilities to remotely and silently compromise a device. Lookout and Citizen Lab worked directly with Apple to close the holes and cripple this attack vector used by Pegasus for the compromise.

In the process, Lookout and Citizen Lab also identified a related vulnerability Mac OS, which Apple quickly patched as well.

Below you can find the full technical details behind the vulnerabilities. Want more background on the Pegasus malware? Microsoft noted in a blog, “Many security firms described it as the most sophisticated attack they’ve seen on any endpoint.” Check out our coverage of the Pegasus attack and Trident vulnerabilities, including our original technical report and analysis for CSOs and CIOs.

November 1, 2016

DirtyCow and Drammer vulnerabilities let attackers root or hijack Android devices

Two especially critical flaws that  allow an attacker to root or completely compromise a device have just been added to the litany of vulns on Android devices.

The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild.

October 10, 2016

Google Android security bulletin October 2016: remote code execution vulns continue

The October Android Security Bulletin contains 78 patches for Android devices — 23 more than last month, yet the third highest since Google started releasing the monthly patches. The release reveals more remote code execution (RCE) vulnerabilities, which could allow an attacker to take over a device requiring very little interaction from the victim.

Given the fragmentation of Android, and the slower patch cycles for these devices, mounting RCE issues could spell trouble for individuals waiting for patches and companies whose employees use Android devices.

This is likely one of the reasons why Google is starting to put more pressure on its partners to update Android devices more frequently.  

September 21, 2016

Enterprises: Only paying attention to big-name hacks? You may be missing the point


Security professionals are more likely to pay attention to breaches if the companies being breached already have recognizable names.

Seems like common sense. You see a headline that says, “Target point of sale technology hacked,” you’re much more likely to pay attention than, “Hospital in Kentucky suffers from ransomware attack.” Unless you live in Kentucky.

Security teams that do this, however, might be missing the big picture of how broad security incidents are and how they don’t just impact top names — everyone is at risk.

September 16, 2016

Four spyware apps removed from Google Play


We identified the Overseer malware in an application that claimed to provide search capabilities for specific embassies in different geographical locations. 

Through close collaboration with an enterprise customer, Lookout identified Overseer, a piece of spyware we found in four apps live on the Google Play store. One of the apps was an Embassy search tool intended to help travelers find embassies abroad. The malware was also injected as a trojan in Russian and European News applications for Android.

Google promptly removed the four affected apps after Lookout notified the company. All Lookout customers are protected from this threat.

Current variants of Overseer are capable of gathering and exfiltrating the following information:

  • A user’s contacts, including name, phone number, email and times contacted
  • All user accounts on a compromised device
  • Basestation ID, latitude, longitude, network ID, location area code
  • Names of installed packages, their permissions, and whether they were sideloaded
  • Free internal and external memory
  • Device IMEI, IMSI, MCC, MNC, phone type, network operator, network operator name, device manufacturer, device ID, device model, version of Android, Android ID, SDK level and build user
  • Whether a device has been rooted in one of several ways
September 8, 2016

Former CSO of AT&T, Dr. Edward Amoroso, talks mobile attackers and how enterprise security teams should innovate



Dr. Amoroso is a former SVP and CSO of AT&T. He is currently on the board of M&T Bank and the CEO of TAG Cyber, which has just released the 2017 TAG Cyber Security Annual, a comprehensive reference guide for cyber security professionals.

September 2, 2016

Pegasus and Trident: Your questions answered

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Pegasus is a highly sophisticated piece of spyware that uses three previously unknown vulnerabilities called “Trident.” When strung together, these three vulnerabilities would allow an attacker to break out of the browser sandbox, jailbreak the device, and install the spyware. From there, the spyware can turn on the camera and mic, intercept text messages, and alter the existing apps on the device to spy on any encrypted or unencrypted data.

This is the most sophisticated mobile attack we’ve seen yet and marks a new era of mobile hacking.

In order to keep you informed about this ongoing, and concerning problem, we’ve pulled together answers to the top questions we’re receiving from security professionals.

Consider this your official hub for all things Pegasus and Trident. Read on.

September 2, 2016

So, you heard about Pegasus and Trident. Here’s what you should do now

Lookout Pegasus Trident WebinarGet an in-depth walk-through of this attack in this webinar by Lookout Vice President of Security Research Mike Murray.

Since Lookout first announced our discovery of the Pegasus attack and Trident vulnerabilities in partnership with Citizen Lab, we’ve received many clarifying questions from security professionals. In this series we’re answering the top queries we’ve received to help you better understand the facts around this unprecedented mobile threat.

Today’s question: What do I need to do next?

The Pegasus attack is the most sophisticated piece of mobile spyware ever seen. With just a single tap on a seemingly important text message it has the capability to cause catastrophic data loss to a targeted individual or organization, completely compromising all communications from a smartphone — messages, calls, emails, passwords, logs, and more from apps including Gmail, Facebook, Skype, WhatsApp, Viber, Facetime, Calendar, and others. Pegasus can even intercept data from end-to-end encrypted applications.

The relative ease and stealth with which this attack can infect a device, combined with the catastrophic data loss it causes, means that CIOs and CISOs need to be reacting to the Pegasus attack now to prevent further damage.