BSides Las Vegas: Your Droid Has No Clothes

Update: Here is the presentation Allan and I had at BSide conference last week.


If you’re going to be at BSides Las Vegas, come to see Allan Zhang ( Trustlook founder and CEO ) and Mike Murray (Trustlook advisor and managing partner of the Hacker Academy). We talk on Wednesday, July 31 at 5:30PM.

When Allan started talking to me about potentially doing this talk with him, we were going to do it as a completely “Undgerground” session at BSides because of the demonstration we wanted to do.   We’re going to get up on stage and show precisely how easy it is to create malware for Android devices that will go undetected by the major app stores, as well as by the security products on the market today.

It’s always fun to be able to do a talk at a security conference that has a really cool demo.

Rather than stay underground, though, we decided to put our names on it.  It’s going to be a fascinating talk where we show the ins-and-outs of what advanced Android malware and Android-based APTs are using to gather and exfiltrate data from phones.


More update:

Here is a app store risk report  we released during BSIDE talk which is based on applications analyzed since we released our beta version one week ago.  From the chart below you can see, Google Play is the safest store and there are 3.15% applications in Google Play market is leak user privacy data or malicious purpose. And 91 app store which is the largest app store in China which is the most risky app store and there are 19.70% of the applications from 91 app store are leak user privacy data or malicious purpose.





Note: As trustlook platform is still in beta testing, there maybe some bugs in our software which could cause false alert during analysis.


Malware Demo


For the demo of malware, I written five demo malware on the flight to Las Vegas and here they are:


1. Steal user’s phone number and send it to external server ( without user confirmation. Here the user’s cell phone number just an example of the privacy data which could be your pictures, SMS, Files, Videos or account information.  This demo has already bypassed all vendors detection include the major antivirus vendors and Google Play Market. Here is the detection result of Trustlook platform,

Screen Shot 2013-08-05 at 10.08.36 PM


2. The second demo case, It has been changed a little bit to steal partial data of user’s phone number (“727”).  The malware itself may chunk your phone number into several chunks and steal one at a time. For sure it bypass all vendors detection except trustlook. Here is our detection result.



Screen Shot 2013-08-05 at 10.13.48 PM

3.  The 3rd demo case, I changed to steal one digit at a time, I do not expect any vendor can detect this. Here is trustlook’s detection result.



Screen Shot 2013-08-05 at 10.15.57 PM

4. If you think this is still not crazy, let’s try the 4th demo case, steal AES encrypted phone number and send it to external server directly when you start the application.  It is impossible for existing antivirus vendors to detection the data leak, but once again trustlook platform catch the risk.



Screen Shot 2013-08-05 at 10.18.01 PM


5. The last Demo case is to steal multiple round AES encrypted phone number which we did not expect any vendors can detect it. We just want to challenge our platform itself. Here is the detection result from


Screen Shot 2013-08-05 at 10.22.37 PM