Lookout Blog

March 12, 2014

Lookout Open Sourced Its “Private Parts,” You Should, Too

Goodbye, terrible, jargon-filled, tiny-font legalese we like to call a privacy policy. Today, we’re launching Private Parts, an open-sourced, customizable toolkit to help developers implement visual, user-friendly privacy policies. And yes, you can use it today.

Instead of a mystifying wall of text, we wanted to create broad industry change and transform privacy policies into a clear, simple design that uses visual cues to allow users to understand how an app collects and shares their data.

To make it as easy as possible for developers around the world, we open sourced the code, which can be easily accessed on Github. In order to create a visual privacy policy with our code, it only requires five simple steps and in less than an hour, developers can have a customized visual privacy policy format installed and running on any of their apps. Any developer can customize the content, look and feel of their own privacy policy from a single JSON file using our toolkit.


Read More

March 6, 2014

Dendroid malware can take over your camera, record audio, and sneak into Google Play


Remote access trojans that let criminals spy on you are a nasty issue, but when you find one in the Google Play store, it sounds off some alarms.

This week, researchers found Dendroid, a custom “Remote Access Toolkit” (RAT) for Android targeting customers from Western countries, and yes, it breached Google Play. A RAT is a type of malware that is used to remotely control the devices it is installed on. The toolkit is being sold for $300 to anyone who wants to automate the malware distribution process. The creator promises that the malware can take pictures using the phone’s camera, record audio and video, download existing pictures, record calls, send texts, and more.

All Lookout users are protected from this threat.

Read More

February 27, 2014

“Embrace complexity, deliver simplicity” John Hering gives Mobile World Congress keynote

Lookout’s CEO, John Hering, took the stage at Mobile World Congress in Barcelona this week to deliver a keynote speech to a packed room with over 1,000 people in attendance.

“Four years ago, when I first came to Mobile World Congress, Lookout was 10 hackers in a loft, now we’re 50 million users worldwide,” John Hering said as he shared the story of Lookout’s growth.

“But that was just the launch pad…

“Fast forward four years later and you’ll see we’ve built a novel security technology company, partnered with some of the largest telecom operators in the world and our product is loved by consumers worldwide.

“How did we get here?”


John conveyed to the Mobile World Congress audience that Lookout has succeeded because of the great people that make up the company, a distinct culture and a passion for solving problems.

“Sure, we’ve had to make some tough decisions on the way to success, but it’s the hacker mentality that has allowed us to turn innovation into success.”

You can watch the video stream here to hear it from John first-hand.


February 26, 2014

Attorney General Harris Helps Businesses in Lookout’s Home State Increase Security

Prominent businesses and organizations from Target to Yahoo! to The New York Times have fallen victim to security breaches and hacking incidents; they are often targeted for the mounds of valuable corporate and consumer data they store. No matter what size, every business needs a comprehensive security strategy in place. Attorney General Kamala Harris collaborated with Lookout and the California Chamber of Commerce to provide actionable recommendations for small businesses to mitigate cyber risks.


The report, Cyber Security in the Golden State, comes on the heels of a nationwide initiative to combat cyber attacks. Large enterprises can devote large sums of money to fight cybercrime, but cyber threats are not just a problem for large businesses. In fact, many attacks are aimed at small businesses. The report provides big company best practices to small business so they are equipped to prevent and respond to cyber security issues.

Read More

February 20, 2014

2013: Made-to-Measure Malware and the Battle Against Adware

2013 was a year of changes in the world of mobile malware. Mobile threat campaigns became increasingly targeted as the criminals that operate them adapted their practices to maximize profit and operate in a less detectable way. In places where regulation is tough, they identified different ways to operate, often dropping more traditional monetization strategies like premium rate SMS fraud and leveraging “grey area” tactics that are actually legal.


Read More

February 14, 2014

Security Alert: A Flap Over Fakes


Sadly, this week Flappy Bird, the latest game addiction for millions, fell victim to attackers who exploited the games popularity by injecting Trojans in fake versions of the extinct app. The malicious variants belong to several different families of malware previously identified by Lookout, which means all Lookout users have been protected. These Trojans enable the bad guys to generate revenue by requiring payment after game play, through malicious advertising networks, and via basic SMS fraud.


Read More

February 7, 2014

Better Safe Than Sorry: Tips to Protect Your Mobile Device at Sochi

It has taken 7 years and an unprecedented $51 billion dollars to prepare Sochi, Russia’s traditional summertime seaside resort for the 2014 Winter Olympics. Russia is deploying the biggest security force in the games’ history and the U.S. and other countries are also sending security teams of their own. Despite these precautions, Russia’s cybercriminals are already preparing for the Sochi Olympics.

Cybercriminals have a history of exploiting global high profile events. The Beijing Olympics is a great example where cybercriminals created fake websites that mimicked the legitimate event. Russian cybercriminals, in particular, are known to be highly experienced at this, and consequently US CERT is already issuing warnings about what to expect.

NBC’s news investigation into Russian malware at Sochi claimed that Sochi visitors would be targeted and their devices would likely be compromised within a matter of hours. Our perspective is slightly different. While it’s true Russia is a high risk environment, this doesn’t mean that you will be hacked the moment you step off the plane. In fact by just following a few common sense recommendations we believe that everything will be OK.


Read More

January 17, 2014

CES 2014 Through the Eyes of a Hacker

Connected things were in full force at CES 2014 and there was plenty of evidence that the Internet of Things (IoT) is upon us. Devices like Toshiba’s smart mirror and a slew of new intelligent robots spanned the showroom floor. Connected things were literally everywhere – and so were their sensors.

Untitled drawing (3)

Among the many connected things, was a section dedicated to medical devices, and unsurprisingly more than half of these were connected. I found no less than a dozen connected devices designed to manage diabetes, a handful of devices that track your medical history and literally hundreds that monitor your vital signs. We should anticipate that this data is going to be collected and that some of its uses may surprise us.

During CES 2014, Jim Farley, Ford’s Executive VP of Global Marketing Sales said, “We know everyone who breaks the law, we know when you’re doing it. We have GPS in your car, so we know what you’re doing. By the way we don’t supply that data to anyone.”

Jim Farley’s statement came as a shock to many consumers who are unaware of the data being collected and stored. Clearly informing users about data collection and how that data will be managed is going to become one of the great challenges facing the IoT.

In order to understand this gap between traditional safety features and digital safety, I spent some time asking a sample of key vendors a handful of basic questions about the security baked into their products, including the types of data being collected and what steps were being taken to protect that data.

I scored these companies based on the quality of their responses: Does the answer make sense? Does the answer reveal that they’ve given some thought to solving the problem? Below are the questions I asked and the results I collected.

  1. Can you describe the safety features in your product?
  2. Can you tell me how your product is secured against hackers?
  3. What data do you collect & where do you store it?
  4. How do you protect this data from hackers?

Screen Shot 2014-01-17 at 4.00.19 PM

Read More

December 23, 2013

Update: Beware Geeks Bearing Gifts – How the Latest iPhone Jailbreak is Actually a Trojan

A new iOS 7 Jailbreak was released this week by the team known as Evad3rs and it’s considerably one of the most talked about releases. Considering that the last jailbreak took nearly 6 months* to develop, something that immensely frustrated many wannabe jailbreakers, it’s not surprising that this pre-Christmas gift caught everyone’s attention.

However, this latest release from the Evad3rs jailbreaking team is a significant departure from their usual jailbreaks. Unlike any of its predecessors, Evasi0n for iOS 7 includes hidden code from a third-party Chinese vendor. Furthermore, that code has been heavily obfuscated in order to resist analysis and tampering.

Read on for our initial analysis of this jailbreak and why we consider it to be be a risky proposition.


Read More

December 19, 2013

Security Alert: Shoot the Bulk Messenger

Executive Summary

With texting the national pastime, text messages are cheap and unlimited plans abound. But what can you do with all of the unused text messages left over from your plan? We’ve uncovered a rascally bulk SMS network, Bazuc, that lures in Android users by promising a ‘free money’ payout if a user allows the network to access their unused SMS messages. The app Bazuc was available in the Google Play Store and downloaded between 10,000 to 50,000 times, but this is likely the tip of the iceberg. The author claims to register 100 downloads of the app per hour, indicating that there may be plenty more third-party store downloads.

Free money is never free though, is it? Once you’ve downloaded the app, Bazuc can be used to send virtually untraceable SMS messages in bulk, which look like they came from your phone. In fact, they did come from your phone. The authors of Bazuc are charging companies to have users send out these cheap SMS messages on their behalf, helping the companies bypass spam detection and automated anti-fraud systems. This operation is putting personally identifiable information at risk, exposing targeted users to phone calls and SMSs from unknown people, and swindling operators out of money.

With so much at risk, Lookout investigated the SMS network and found a coterie of players wittingly and unwittingly involved in the ploy. These include bulk messaging providers, phishers, foreign spammers, American and African banks and smartphone owners. Read more as we dissect Bazuc, its authors, operations, the monetization strategy and the end game. We are rolling out protection to Lookout users as we speak.

What is Bazuc?

Bazuc is a pair of applications: “Bazuc Earn Money” and “Bazuc Free International SMS.” On the face of it, the “Bazuc Earn Money” app offers people an interesting proposition: the chance to sell the surplus of SMS messages that remain in their monthly quota after they have used their normal monthly amount. The “Bazuc Free International SMS” app uses the SMS allowance purchased by “Bazuc Earn Money” to enable users to send free SMS messages internationally.

At least that’s what the Bazuc Earn Money website suggests.


“Bazuc earn money” offers users $0.001 per message, and while the math won’t make you rich, many people will see this as “free money.”  Bazuc’s FAQ section suggests that you could earn $30. (But that means a person would need to send 30,000 messages from their phone a month.)

“We will pay you $0.001 per SMS that is sent through your phone, so you can earn up to $30 monthly for doing absolutely nothing but installing “Bazuc Earn Money on your Android phone.”

Free messages in bundle: 5,000

Normal monthly SMS usage: 2,000

“Surplus” messages to sell: 3,000

Likely potential monthly earnings 3,000 x $0.001 = $3.00


Read More