Privacy Defense Battle from Google Play Apps


Author: Tianfang Guo, Jinjian Zhai

According to our recent scan of the Google Play Store, a list of more than 400 apps have been detected as containing potentially risky behaviors that compromise a user’s privacy. The Trustlook Mobile Security & Antivirus security database includes this latest list for your protection. The detailed analysis can be found in a separate blog to be released. The full list of apps can be found here.

What will happen if I install one of these apps?

All these apps contain risky behavior:sending sensitive information, including phone numbers, contacts, SMS, photo gallery and geolocation, without the user’s specific knowledge. Once the apps’ vendors have collected this data, it could be used for adware network identification or sold to other firms.[1]

Are they malware?

Not exactly, as most of them are not built for malicious purposes, per se. Yet they do use Google Play’s policy corner case (GP developer policy). Furthermore, some of the apps have a user base of more than 10M, which creates a privacy risk greater than most viruses.

What can you do to protect your phone?

When you open one of the apps in the list, you should be aware that some of your personal information can be collected. Try to find an alternative app or do not open them unless it’s absolute necessary.

How does Trustlook discover them?

Trustlook built a cloud-based crawler system which efficiently mines data and collects APKs from various app markets in multiple countries. Once collected, apps are analyzed by behavioral analysis engine to expose the questionable behavior.

Unlike most Antivirus software, Trustlook does not only simply analyze the apps statically, but runs them in a native environment to best monitor dynamic behavior A detailed analysis is generated with highlighted behavior and potential use case security risks.

In this sample, the contact list is captured by the app, and sent to a remote server:

Screen Shot 2015-04-22 at 5.20.59 PM

What’s more, Trustlook’s analytics platform has implemented a cutting edge “taint analysis”, which captures all sensitive data flow in the memory, and detect the risky behaviors as soon as the sensitive data appears in the outbound traffic. Such techniques can detect any new malware and 0-day attacks ASAP, protecting Trustlooks users privacy in a timely manner.

The next risky apps report will be released soon, so stay tuned!


Trustlook Antivirus & Mobile Security Ranked Top In AV-TEST With Best Score

Achieving 99.9% Malware Detection Rate, Zero False Alerts and Usability & Protection Score of 6.0/6.0 in March 2015 Benchmark Testing


Trustlook earned a top score in AV-TEST benchmark testing in March 2015 with its popular Android security application Trustlook Antivirus & Mobile Security ( After analyzing a comprehensive set of 3077 malicious apps and 2784 legitimate apps and software, Trustlook joined the winners circle again with a 99.9% detection rate, zero false alerts and full marks of 6.0/6.0 in all categories.


AV-Test benchmark testing continues to demonstrate a need for mobile security on smartphones, evaluating products for protection, performance and usability. Trustlook Antivirus & Mobile Security demonstrated the strength of its malware detection engine with full scores in all categories, without impacting the performance of the mobile device or its battery.


“Accurate, real time malware detection is key to protecting every mobile device user,” commented Allan Zhang, Trustlook CEO. “We make every effort to discover potential risks in phones as well as improve the user’s experience. Thanks to our automated malware analysis platform, Trustlook quickly delivers more accurate and comprehensive app analysis reports.”


Trustlook provides a quick security response to data breaches and malware exploits through comprehensive behavioral analysis, closing the vulnerability gap between the time of malware detection and when a device is compromised.Recently, Trustlook recognized the “Fake Amazon Giftcard” malware in 2 minutes, while 81% of antivirus programs missed it even after 24 hours.


AV-TEST GmbH is an independent supplier of services in the fields of IT Security and Antivirus Research, focusing on the detection and analysis of the latest malicious software and its use in comprehensive comparative testing of security products. please visit

Innovative Malware Survived 6 Months on Google Play

Authors: Tianfang Guo, Jinjian Zhai

Days ago, Lukas Stefanko from ESET discovered a new Remote Access Tool (RAT), which was disguised as a music app, and uploaded to Google Play.


Once a victim installed it, the RAT could be activated by a remote attacker’s command at any time, and complete a series of malicious behaviors, including:

  • Retrieving call log/contacts/SMS/location
  • Uploading/downloading/removing arbitrary files
  • Sending SMS to subscribe fee-based services
  • Turning your phone to a spy camera

What makes this RAT special is, it used Baidu’s push notification service for the command & control, instead of using a command & control server and HTTP traffics.

The notification service on Android is implemented by a 3rd party service provider, Google Cloud Messenger(GCM) is the the most commonly used one, which is free, and used by millions of apps. While Baidu’s Cloud Push service is the Chinese version of GCM (as the latter one is not accessible in mainland China). Apparently, the hacker has bet on Baidu won’t interfere with his business.

Using the notification service for command & control is quite a new way for a RAT, for those advantages:

  • No need for server side – Baidu’s server will take care of everything, from command console to push service.
  • Hard to be detected – Network traffic has no difference from normal push notifications

The developer console of Baidu cloud, which allows pushing a notification to any registered devices without writing a single line of code.
Screen Shot 2015-04-07 at 4.29.47 PM

The control procedure is as follows:
Untitled drawing

The RAT handling the commands sent via notification:
Screen Shot 2015-04-07 at 4.21.16 PM

Also we found the developer has leaked his Baidu Secret Key, bad practice!
Screen Shot 2015-04-07 at 4.21.58 PM

Despite the Elven Path Blog, this app has been on Google Play for nearly 6 months, and still be able to download from some 3rd party app markets. The submission record on VirusTotal in Oct 2014 is highly possible to be submitted by the malware writer as a pre-release experiment of the malware detection by AV products. And no Antivirus could detect it at that time due to the lack of behavioral based mobile threat protection solutions.
Screen Shot 2015-04-07 at 4.24.04 PM

A successful disguise and innovative communication channel, that’s how a malware could survive for an impressively long time. We’ll keep watching for this kind of threats, and update via our blog.

Special Thanks to Steven Chen for providing us the sample.