Why GPS Location Leakage is not simply a malware problem: Flaws in legitimate apps continue to expose users to real time risks.

Authors: Jinjian Zhai, Tianfang Guo

Nasir al-Wuhayshi had a bounty of 10 million USD issued by the US State Department in October 2014, and was killed in a US drone strike in the Hadhramaut Governorate of Yemen on 12 June 2015.

Explaining the mystery of how al-Wuhayshi got pinned in a vast area of desert land mass, CNN reported : “This was more than just luck. … He got sloppy and moved in a way that he could be tracked. … Classified high tech gear makes the strike possible. Eavesdropping of cell phone and monitoring of social media by the intelligence community is at all time high.

According to CNN, eavesdropping on Nasir al-Wuhayshi’s cellphone disclosed his location, like something out of a 007 film. Mobile apps, especially social media applications, emerge as new sources of location intelligence.

Although this was an fatal example of the leakage of physical GPS metadata, the information was under the control of international law enforcement. You can imagine situations where the circumstances can evolve to be much worse had similar data been under the control of outlaws.

It seems similar privacy leakages aren’t as far off as Yemen. On June 17, Reuters reported large amounts of private data were stolen due to common flaws in application development: “Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users’ personal information, including passwords, addresses, door codes and location data, vulnerable to hackers.

Below is an example of a leaked GPS location from a compromised android app.

com.songguo.hotel is a popular Android hotel booking app from Ctrip.com, one of the biggest online travel services in China. The version we analysed sent GPS locations to Baidu Map service without any user input. The data, accurate to a few meters, was captured en route in plain text.

The plain text of GPS location.


The high accuracy location of the user is fetchable by GPS coordinates:



GPS stealing behavior can be detected by the Trustlook Mobile Security platform and application with the name “StealBy.Socket“.




The malicious “StealBy.Socket” behavior in Trustlook Mobile Security app:




Apps leaking GPS data were discovered as malicious by Trustlook Mobile Security:



There are ways to avoid leaking GPS location, including disabling location sharing entirely. Sometimes such notification windows are absent, just like the app we studied in this blog. Consumers should rely on Antivirus applications to be sure of privacy protection from not only malware but the also risky behavior of legitimate apps.

Other data leaks- including password, photos, and medical data, will be further investigated and published in the future. Stay tuned…

To read the full report of the sample from the Trustlook Antivirus platform, please contact : support@trustlook.com

“The Clickers” – Zombie Malware that feed on the mobile ecosystem

Authors: Tianfang Guo, Jinjian Zhai; Special Thanks: Steven Chen

Last week, Trustlook exposed the Facebook credential phishing malware “Cowboy Adventure”. In the article we pointed out that phishing is one kind of behavior that is difficult to detect via an automated technical approach. This may be one reason it sneaked by the Google Play Store’s  “Bouncer” automated security check.

In this article, we will highlight several examples of Zombie malware on Google Play we very recently uncovered. These are Called  – “The “Clickers”.They commit another stealthy kind of malicious behavior, that  will likely be overlooked by automated analysis solutions.

“Clicker” is a malware that affects a large part of the mobile ecosystem creating fraud for the vendors, spamming the networks and exploiting the resources of user the community. This form of malware launches requests through Advertizing links. “Clickers” generate costly, false user traffic for advertisers, while draining the user’s battery life and consuming their monthly data plan bandwidth allowances. Everyone loses when a “Clicker” is unleashed.


Screen Shot 2015-07-13 at 3.46.01 PM

Screen Shot 2015-07-13 at 3.46.10 PM


The latest malware we detected is called “Best: Dubsmash”. It has no actual functionality other than a confusing UI. Most users are likely to spend some time to figure out what it does. In the mean time, let’s see what is doing in the background:

Screen Shot 2015-07-13 at 3.47.28 PM


Communicate a C&C server. This server will serve the target URL that needs users to click.

According to our test, this URL will give different URLs each time you refresh it. Most of the URLs are porn sites.

Screen Shot 2015-07-13 at 3.48.05 PM

Our behavioral analysis shows the Zombie requests are generated by using invisible webview calls, in a continuous 20s time interval. There goes the user’s battery life and bandwidth. data plan. Also it will (or rather should) create events on a properly monitored corporate network. Just what your SecOps team needs, right? More Spam remediation.

Screen Shot 2015-07-13 at 3.48.45 PM


As of Jul 13 PST 2:40PM, this app, as well as 3 similar “clickers” are still alive on Google Play. We already reported this issue to our colleagues at Google Play and will look forward to timely remediation.

Screen Shot 2015-07-13 at 6.50.16 PM

Meet the Most Successful Malware on Google Play: Nearly 1M Users in 4 Months

Authors: Tianfang Guo, Jinjian Zhai

How many users can a stealthy malware acquire after being published on Google Play? Hundreds? Thousands? We believe a new record has been established: 500k-1m downloads. This malware survived more than 4 months until the Trustlook research team uncovered it.

The holder of this dubious honor is a malware called “Cowboy Adventure”. It is a simple game made utilizing the popular 2D game engine “Platformer 2D”.  After careful analysis our team found a devious and scary reason behind its user growth.

Screen Shot 2015-07-02 at 10.49.50 AM
Screen Shot 2015-07-02 at 10.50.03 AM
Screen Shot 2015-07-07 at 4.37.06 PM


Beginning of the story

Days ago, we found some users are complaining about their Facebook accounts are abused, sending a game invite to all the friends. And most of them speak Chinese:

Screen Shot 2015-07-07 at 5.06.03 PMf493908d8528286f25d4a51818c8d45c-1

After analysis, we found the “Cowboy Adventure” is actually a phishing malware that forged into a game. It will forge a Facebook login, and collect users’ Facebook username/passwords. By spamming the victims’ friends, it spread virally. Moreover, the phishing behavior is committed “selectively”, only the IP address from Asia could trigger it.


The detailed analysis


Above is the fake Facebook login window. If you have basic knowledge about OAuth, you should know that no 3rd party could ask your FB account in this way.

The app is developed using Mono, the open-source, cross-platform implementation of Microsoft’s .NET Framework. The app’s code is written in C# and compiled to several PE dll files. We used the Telerik JustDecompile and ILSpy to decompile it.

The key code are from 2 dlls:

ThinkerAccountLibrary.dll – the component responsible for collect user information, including the Facebook accounts.
2015-07-06 22_39_50-ILSpy
CowboyAdventure.dll – the game’s code. Also it contains an entry activity that determines whether it pops up the phishing activity or not, based on user’s location.

Upon launching, the app will first communicate with a command & control server:
2015-07-06 22_38_07-ILSpy

The returning data will determine the app’s logic: directly start the game, or phishing the user via the fake Facebook login activity.

During our test, the return data is very tricky: the C&C server will determine whether to commit malicious behavior via the client IP. We tried access the URL using our IP in United States, the returning data is as follows, with the “LoginEnabled” value 0:
Screen Shot 2015-07-07 at 2.52.38 PM
In this case, the game will start without phishing.

However, if we access this URL via a proxy server from China Mainland, Hong Kong, Taiwan or S.E Asia, the return will be different:
Screen Shot 2015-07-07 at 4.04.55 PM

Note the “LoginEnable” value has changed to 1. In this case, the app will first pop-up the phishing activity. This probably a trick to delay the time it discovered by major Antivirus vendors outside Asia. (And it worked!)

Here is the our reversed engineered code showing its logic:
Untitled drawing -2-

The AppData class is for storing the data returned by C&C server. “LoginEnable” indicates whether to phishing, and “UrlHomePage” indicates the URL for submitting the users’ FB accounts.

As is shown below, in the apps main activity “HomeActivity”, the first activity shown to the user is decided by the value “LoginEnable”.

Cowboy2 -1-

After the phishing activity is popped up, and the victim input the Facebook account, the email/password will be sent to the URL specified in the C&C server’s returned JSON value “UrlHomePage”. The detailed logic is shown below:

Untitled drawing -3-

After the C&C server received the users’ Facebook account and password, we don’t know what exactly happened there. But we can guess: a automated script will use Facebook’s API to spread the malware among friend networks, attracting more and more victims.

Even at the time the author writing this article, there is ZERO AV vendor can detect this malware according to virustotal.com . The VirusTotal even gave a comment: “Probably harmless! There are strong indicators suggesting that this file is safe to use.”
Screen Shot 2015-07-07 at 3.02.31 PM
That is the story behind a “legendary” malware on Google Play, which infected nearly 1M phones in 4 months. According our analysis, there is no complicated technology used, just a little social engineering and a small trick to evade detection.


Some thoughts

We have to ask: what’s going wrong? The author’s opinion is as follows:

1. Mono is relatively a new development framework, thus good at evading analysis. This is not about difficulty, but cost-efficiency. As the Jar pack is still the majority of the Android threat source, few vendor integrates the Mono and C# code analysis into automated platforms.

2. Phishing is naturally difficult to detect via automated technical approaches. A phishing Facebook login activity has no difference to a normal login activity on code level. Only experienced human being can identify the forged images & layout.

3. The sneaky developer has set a location based triggering mechanism. This may fooled a lot of AV vendors outside Asia.

4. Some AV vendors have overly trust on Google Play. The slow reaction for AV vendors and the VirusTotal’s result is the best evidence. The app’s high-profile on Google Play might be a factor that made VirusTotal gave the “Probably harmless” comment. Also to our knowledge, some AV vendors gives more trust to the apps on Google Play during their automated analysis.


Update on Jul 9 3pm PST:

After more research, we found the conclusion of “the phishing only works for Asia IP” is incorrect. Now we found it actually affects anywhere except US and Canada.

Android Ransomwares: The Escalated Battle

Authors: Tianfang Guo, Jinjian Zhai

When talking about the cybercrime industry, “business model” is more important than the technology itself. According to Security Magazine Cybercrime is costing businesses more than $1,500 per employee annually. That’s a likely a drop in the bucket compared to how much ransomware pirates are extorting from business.

Last year, we published an article “Android Ransomwares – A True Threat or Bluffing”. Reviewing it today, most of the predictions in that article about the technologies used on Android ransomware have come true. Driven by profits, the ransomware makers have shelfed ethicsand laws, trying everything to force the victims pay money. According to the Mcafee lab, the number of ransomwarerequests have grown 165% in Q1 2015. [1]

How can businesses proactively repel Ransomware? Trustlookhas reviewed large amount of ransomware samples in the last few weeks and is building a solution. This article analyzes the ideas and technologies behind the ransomware as well as introducing TrustLook’s solution of detecting them.

Ransomware is best analyzed through 3 key metrics: how they block the normal usage of your phone; in what way they receive a payment from the victim; and how they spread themselves. We will categorize the ransomware by the first and foremost metric, how they block the normal usage, which consists of three classes or levels of harm of severity:

  • Class A: They will cause software level damage to your phone:impairing data, and/or gaining higher privileges to maintain controlling and commanding. These Android ransomware do, on phone, as what the traditional ransomware do on PC.
  • Class B: They will not cause damage or gain higher privilege, but cause trouble on the regular usage of the phone: E.g. popping up “NAG”[2] messages that keep on top of the screen. They can be fixed in an easier way than Class A ransomware.
  • Class C: They do not use any technology to block the usage, instead they rely on fraud information and social engineering to con victims. They are scam apps in natural than ransomware.

We will only discuss Class A and B ransomware in this article. All the malware mentioned in this article is now detected by Trustlook’s security solution.

Class A Ransomwares:

Sample name: Android Performance Enhance
Package name: tx.qq898507339.bzy9
MD5: cdc77f3dfabdea5c5278ac9e50841ff3


  • – Forged into an system enhancement app
  • – Cheat the user to authorize the device admin, including changing screen-unlock password and lock screen permissions.
  • – Lock screen with a password, victims are supposed to contact the author and make a payment to get the unlock password. We pretended to be the victim and contacted the author. He asked 50 RMB (~$9), via AliPay (China’s paypal).
  • – Cannot be uninstalled using ADB due to the device admin privilege
  • – Spread mainly in China, via Baidu “Tieba” (like China’s reddit) and cloud storage

Screen Shot 2015-07-07 at 10.30.59 PM
Ask for device admin

Screen Shot 2015-07-07 at 10.31.55 PM

Lock screen with a password

Remove Difficulty: 4.5 stars
Transmission: 3 stars
Creativity: 3 stars
Overall Severity: 4.5 stars


Sample name: PornPlayer
Package name: com.ayurvedic
MD5: f91b39614dae1aae69337662dd287949


  • – Forged into a porn video player
  • – Ask for device admin for self protection
  • – Encrypt media files using AES algorithm, difficult to recover the files unless intercept the key before it’s sent out
  • – Pop up an always on top window, ask payment for the unlock key
  • – Stealing phone contacts and call logs
  • – Cannot be uninstalled using ADB due to the device admin privilege

Screen Shot 2015-07-07 at 10.33.25 PM


Screen Shot 2015-07-07 at 10.34.19 PM

Our sandbox has clearly intercepted the suspicious encryption operation and the encryption key:

Screen Shot 2015-07-07 at 10.35.17 PM

Remove Difficulty: 5 stars

Transmission: 1 star

Creativity: 2 stars

Overall Severity: 5 stars


Sample name: Flash Player
Package name: com.android.locker
MD5: 645a60e6f4393e4b7e2ae16758dd3a11


  • – Forged into the Flash Player
  • – Ask for device admin for self protection
  • – Forged FBI surveillance message, pop up with an interval of 5s
  • – Ask for $300 via MoneyPak voucher code

Screen Shot 2015-07-07 at 10.36.20 PM

Screen Shot 2015-07-07 at 10.38.19 PM

Screen Shot 2015-07-07 at 10.41.18 PM

Remove Difficulty: 4 stars

Transmission: 2 stars

Creativity: 3 stars

Overall Severity: 4 stars

Class A ransomware summary:

They are one of the most severe type of malware on Android. Their logic is straightforward: block your phone usage, make sure you cannot recover by your own, then ask you “data or money”.

As Android ransomwares don’t have the privilege of their Windows equivalent, the device admin became a critical path for them to do the damage (wipe data, lock screen with password) and self protection – and some users have no idea what device admin is, what can it do and how to revoke it. Even for experienced Android users, they won’t be able to get into the “settings” app to revoke it if the ransomware pops up an always on top activity by applying the SYSTEM_ALERT_WINDOW permission. (or exploiting the device admin vulnerability http://seclab.safe.baidu.com/2014-10/deviceadminexploit2.html)

Even without device admin, the WRITE_EXTERNAL_STORAGE permission will allow the ransomware to encrypt the files on SD card, including the media files, as “hostage”.


Class B Ransomwares:

Sample name: Video Player
Package name: com.adobe.videoprayer
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a video player
  • – Pops up a fake FBI surveillance message
  • – Set the activity always on top. Cannot dismiss using home/return button.
  • – Take photo at background as “evidence”
  • – Access the browser history
  • – Stealing the contacts, threat the user to send the “evidence of watch child pornography” to the victim’s contacts.
  • – Ask $500 via Paypal prepaid voucher card
  • – Send SMS at background to the victim’s contacts with the download link, to spread virally.

Screen Shot 2015-07-07 at 10.42.11 PM

Screen Shot 2015-07-07 at 10.44.06 PM

Screen Shot 2015-07-07 at 10.45.04 PM

Screen Shot 2015-07-07 at 10.48.09 PM

Our sandbox has intercept its background behaviors:

Screen Shot 2015-07-07 at 10.49.16 PM

Remove Difficulty: 3 stars

Transmission: 5 stars

Creativity: 4.5 stars

Overall Severity: 5 stars


Sample name: APK compiler
Package name: com.qq2395414390
MD5: f836f5c6267f13bf9f6109a6b8d79175


  • – Forged into a APK enhancement app
  • – Pops up a windows that always on top. Unable to dismiss using home/return button.
  • – Plays very loud sound. Embarrass the victim in public.
  • – Victims are supposed to contact the author and make a payment.
  • – Spread via “QQ Groupchat”(famous PC messenger in China)

Screen Shot 2015-07-07 at 10.50.32 PM

Remove Difficulty: 2 stars

Transmission: 3 stars

Creativity: 3 stars

Overall Severity: 3 stars



Class B ransomware summary:

The main idea behind Class B ransomware is “social engineering”, rather than technology. They usually use some sneaky ways to make users fear or embarrassed, and pay money.

Most of them will abuse the SYSTEM_ALERT_WINDOW permission, to pop up an always on-top window.

On the other hand, as they don’t have device admin and file encryption, they can be easily killed by a single “adb uninstall” command by an experienced Android user. If their tricks are unveiled.



[1] http://www.mcafee.com/us/about/news/2015/q2/20150609-01.aspx

[2] https://en.wikipedia.org/wiki/Nagware