We have received an overwhelming number of stories from our users telling us how Lookout has protected their smartphone. To honor you, our best users, we are continuing our series to highlight one Lookout “Super User” every month. We are very excited about our super user this month who was even featured on the Fox 12 Oregon news! If you’ve got a great story to share with us, please email us at superusers-at-mylookout.com.

Lookout Super User: Jeff Richmond

Name: Jeff Richmond

Occupation: Attorney

Location: Willsonville, Oregon

Lookout User Since: November 2009

Device Type: Motorola Droid

Favorite Lookout Feature: Backup of personal data

What do you use your phone for? Managing both work and personal emails, viewing social networks and reading the news

What are some other apps that you can’t live without? Twitter, Google Maps, Facebook

How Jeff Found Lookout

Jeff came across the Lookout application while browsing the Android Market for the most popular apps. He had just gotten the newest Motorola Droid and it was his first smartphone so he was eager to download apps for it. He saw that Lookout had a very high star rating and read through the Market description. Intrigued by all of the useful features that Lookout offered, Jeff decided to download Lookout and try it out for himself.

What Jeff Loves About Lookout

Initially, Jeff downloaded Lookout for the whole set of features, but he especially liked the Anti-virus scans because he felt safe knowing that Lookout scanned every application that he downloaded onto his Droid. But, after using Lookout for a few more months, Jeff’s new favorite feature quickly became the ability to backup photos and contacts.

How Lookout Saved the Day

In December of last year, Jeff and his wife were in their home in Wilsonville, OR about to turn in early for the night. After checking through their mail and placing their cell phones in their charging station in the kitchen, Jeff and his wife went to bed. Around 10:30 that night Jeff thought he heard noises downstairs, but since their golden retriever did not react like he had heard noises as well, Jeff chalked the sounds up as a figment of his imagination. He and his wife woke up the next morning to find that burglars had broken into their house and stolen both of their laptops, cell phones, car keys, his wife’s purse, and his work bag.

After calling the police and reporting the incident, Jeff and his wife proceeded to cancel all their credit cards, and got new cell phones. That night, when he installed Lookout on his new Droid, Jeff was reminded that he had the Lookout application installed on his stolen Droid phone. Jeff went onto myLookout.com and logged into his account. He quickly saw that he had a few new pictures uploaded to his account. It appeared that the burglars who had broken into his house had snapped a few photos of themselves with his Droid camera back at their apartment! Jeff submitted the photos to the local law enforcement, one of which, recognized the thief in one of the pictures. The police officers found the suspect with Jeff’s stolen jacket and deemed that probable cause to arrest the thief. Jeff was lucky to get his jacket and keys (house, car, mailbox, etc) back, but unfortunately the laptop computers and cell phones were still missing.

Months later, Jeff received an email notification from Lookout saying that his phone had been located. He remembered that he had attempted to locate the stolen phone back in December, but the phone was not responding to Lookout. When he went online to check his myLookout account again, he saw that his old Motorola Droid phone had been reactivated with a new phone number and, using the Lookout locate feature, found that it was in another town nearby! Jeff again turned over this information to law enforcement. Though the investigation is still ongoing, Jeff was grateful that Lookout was able to help him in his investigation to get his stolen property back!

Moral of the Story

“I’ve told all my friends and neighbors about this app and it was the first app they downloaded because they wanted to be protected. I recommend anyone who gets a new phone to download this app before they do anything else.”

Do you have a story to share?

Big thanks to Jeff for sharing his awesome story with us. Do you have a super story to share about Lookout? Has Lookout helped you find your lost phone in a trash can, catch a thief or protected you from downloading a bad app? If so, we would love to hear from you! Send your mobile memoir to superusers-at-mylookout.com. If we select your story, you will receive an exclusive Lookout Super User t-shirt and get featured on our blog. Start sending those stories in!

A recent report by Panda Security found that 25 percent of new worms in 2010 were designed to spread via USB storage devices connected to computers. We, at Lookout, have observed that the types of viruses spread through USB or storage devices can also spread via smartphones. As a result, we have taken steps to protect against this propagation.

Phones are often overlooked as a type of storage device.  In fact, any device that can store information (external hard drive, flash drive, MP3 Player or even DVD player) can carry a virus without the user’s knowledge.  Because phones hold a lot of information, they too, are susceptible to acting as a “carrier” and transferring viruses from one computer to another. From what we’ve seen so far, the PC malware doesn’t directly put your phone at risk. It is the carrier, but because it was written for PC’s, smartphones seem to be immune from these viruses.

How it happens: When someone plugs their smartphone into a computer that has been infected with a virus, the virus can be transferred onto the smartphone and then act as the carrier to infect any other computer to which the phone connects. So, for example, if your home PC has a virus and you connect your smartphone to it, and then bring your phone to work and connect to your work PC, you have just infected your work PC with that same virus.

Some examples of PC viruses we’ve seen on smartphones include the Mariposa botnet that was discovered to be preloaded on Vodaphone Android phones earlier this year as well as instances of the PC virus Win32/Hamweq.A.

1. Only connect your phone to a computer that you trust. For example, if you are on a public computer at a library, internet café or airport kiosk, avoid connecting your phone to the computer.
2. If you need to use your computer to charge your phone, pay attention to the settings to ensure that you do not activate the phone to act as a “USB device.”
3. Have up to date security software running on your computer. Consider downloading security software for your smartphone as well. We’re partial to Lookout, and it currently warns users of any autorun files that exist on your phone.

If you think this has happened to you, contact us at security-at-mylookout.com and tell us about it.

At Lookout, we’re committed to building products and services that we help make the mobile experience a safe one. We are committed to security and are strong privacy advocates. To this end, we’ve recently updated our Privacy Policy in order to underscore our focus on keeping you and your information safe. We’ve also added a set of Security and Privacy Principles to help users easily understand what we use to guide the decisions we make at our company.

Here are our Security and Privacy Principles.

• We don’t sell your personal information.
• We employ advanced security practices to keep your data safe.
• We’re trusted security experts.
• We use information to provide better protection for you.
• We will always tell you what type of information we collect and how we use it.
• Lookout improves your privacy and security.

We welcome your feedback and want to ensure we are clearly communicating to you our customers and the broader community, the commitment we have to security and privacy.

Should you ever have any questions on our policies, feel free to contact us at privacy-at-mylookout.com.

The Threat: Last week, a new spy app was identified in the Android Market that enables a would-be spy to track a phone’s location through a game called Tap Snake. Lookout has protected against this threat since August 10th. Today the app was removed from the Android Market.

How it Works: To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to  gain access to the victim’s uploaded data.

GPS Spy costs $4.99 and until today could be purchased through the Android Market or other Android stores. Once on the phone, the application instructs the purchaser to download and install the Tap Snake game to the phone they want to spy on. The would-be spy does need to have physical access to the phone they want to monitor.

Phones it Affects: Tap Snake is only available for Android phones.

How to Tell if You Are Affected: Look to see if you have the Tap Snake game on your phone. If it is on your phone, you can download a mobile security app to remove the software.

How to Stay Safe:

• Don’t let others download apps onto your phone. Keep in mind, a would-be spy needs physical access to your phone in order to install Tap Snake and enter the code that enables tracking.
• Don’t let your phone out of your sight and keep control of your phone at all times.
• Download a mobile security app for your phone that scans every app on your phone.   We’re partial to Lookout.

Lookout has protected against Tap Snake since August 10th. If you already have Lookout on your phone, you don’t need to do anything–you are automatically protected. If you don’t yet have Lookout on your phone, you can download it here.

Earlier this week the first SMS Trojan that infects Android smartphones was discovered in the wild. We see this as a significant event for several reasons. First, this is first instance of a Trojan on the Android platform which, to date, has mainly been affected by spyware and phishing attacks. Second, the motive behind this attack is profit, carried out through charges from premium-rate SMS messages, (see graphic below) and it may portent a broader shift towards profitable cybercrime on phones, as it has on PCs.

We’ve seen the progression of threats from novelty to profit before. To see where we’re heading, we need only to look to the desktop. Looking back over the last twenty years, the evolution of malware on the PC has hit three relatively distinct milestones that we could classify as Ego, Profit, and Political. This cycle looks like it will repeat itself for mobile phones, only significantly accelerated.

In the 1990s and early 2000s, PC malware was typically written more for the ego boost of fame and notoriety than for other motives. Melissa, ILOVEYOU, and MSBlast grabbed headlines, but not sensitive data. In recent years that has changed. In 2008, the Torpig Trojan was released into the wild and has stolen at least half a million online banking account credentials, credit card numbers, and debit card numbers. We’re also at the early stages of PC malware used for political purposes, such as recent denial of service attacks against Estonia and the Georgian president.

A similar evolution is happening within mobile malware. We are already well into the Ego phase and now perhaps poised to move into the profit phase. Consider the 2005 Symbian-based Cabir worm that did little more than spread to other devices via Bluetooth or the ikee worm that changed the wallpaper of jailbroken iPhones with default passwords to a photo of Rick Astley because its author, an Australian hacker, was just curious as to how far it would spread. Both were more of a nuisance than an actual threat; however, shortly after the ikee worm was released, the Duh worm in the Netherlands used the same mechanism to propagate and attempted to steal banking credentials from ING banking customers. Furthermore, with the recent Android SMS Trojan, we think we’re seeing early steps toward the profit phase which means both more sophisticated malware and more organized perpetrators.

As always, there are some steps that consumers can take to keep themselves safe.

• Only download applications from trusted sources. Remember to look at reviews and star ratings.
• Always check the permissions an app is requesting when downloading apps. Use common sense to ensure that the permissions match the type of app you are downloading.
• Download a mobile security app for your phone that scans every app you download. We’re partial to Lookout.

We’ll be routinely sharing data as to how the world of mobile malware and spyware is evolving—whether it be for fame or fortune.

UPDATE:  Lookout has pushed an over-the-air (OTA) update to automatically protect all Lookout Android users from this newly reported Trojan. If you already have Lookout installed, the update will be automatically pushed down to your device. If you don’t have Lookout, go to www.mylookout.com from your phone to download it now or find Lookout in the Android Market.

==============================================

Today, Kaspersky Labs reported the first SMS Trojan that infects Android smartphones.

The Threat: The Trojan is hidden inside an application called “Movie Player.” Users are prompted to install an application that looks like a media player of just over 13KB to their phone from a website.  Take note that the app does list “Services that cost you money (send SMS messages)” as one of the required permissions prior to installation.

How it Works: Once installed, the Trojan proceeds to send SMS messages to premium-rate numbers charging several dollars per message without the owner’s knowledge or consent.

Phones it Affects: So far this has only affected Android smartphone users in Russia and only works on Russian networks. As far as we know, there is no indication that this app is in the Android Market.

How to tell if you’re affected:

• Review your phone bill for any premium SMS messages you did not send
• If you have recently downloaded a media player, check the permissions to ensure it does not have the ability to send SMS messages. (Go to Settings, Applications, Manage Applications)

Lookout is tracking this threat and we will have an update out to our users shortly. In the meantime, we recommend the following:

How to Stay Safe:

• Only download applications from trusted sources. Remember to look at reviews and star ratings.
• Always check the permissions an app is requesting when downloading apps. Use common sense to ensure that the permissions match the type of app you are downloading.
• Download a mobile security app for your phone that scans every app you download. We’re partial to Lookout.

As we’ve previously noted, with the discovery of this new Android Trojan, it is more important than ever to pay attention to what you’re downloading. This Movie Player app directly lists permissions to access “Services that cost you money” before you install. Stay alert to ensure that you trust every app you download and stay tuned for more details on this threat.

Since the first version of the iPhone—and now the latest versions of both the iPhone and iPad—users have used a technique called jailbreaking to override the software sandbox on their devices in order to gain full control of the operating system and install applications that Apple has not approved. This week a site called jailbreakme.com made news by enabling users to jailbreak an iPhone or iPad in a matter of minutes by simply visiting a web page. The latest jailbreak technique has resulted in significant security concerns because the jailbreak uses a pair of recently discovered vulnerabilities on the iPhone and iPad itself (iOS) in order to perform the jailbreak on the device.

While there have not yet been reports of these exploits being used maliciously, the security implications are significant. Now that the exploits are publicly known, they can be easily modified for malicious purposes, creating a big potential risk for iPhone and iPad users. All that is needed to exploit an iPad or iPhone is for the browser to visit a maliciously crafted web page; from the PC world, we know that there are a variety of ways to do this. For example a bad actor could propagate an email or SMS that encouraged users to visit a link that would result in their iPhone being exploited without their knowledge. While the currently-known exploit in the wild jailbreaks your phone, the resulting vulnerability allows an attacker full access to do anything.

What can attacker do with full access (called “root”) to your phone? Perhaps the least-nasty result is that your phone becomes jailbroken; however, full access allows attackers to do virtually anything on the device. It is possible for malicious code to steal data, capture online banking and account credentials, make charges to your phone bill, and do anything else your phone is capable of. Apple has been quoted saying they are aware of the issue and are working on a fix.

How does this affect the average iPhone or iPad user?

First, you shouldn’t jailbreak your phone unless you have experience securing Unix systems. If you don’t know what this means, don’t even think about jailbreaking your phone.

Second, to avoid having your phone exploited without your knowledge, follow these tips:

1. Don’t visit any suspicious web sites from your iPhone or iPad.
2. If you receive an email or text message from someone you don’t know, avoid visiting any links they ask you to visit.
3. Don’t open any PDF files from people you don’t know on your iPhone or iPad.
4. Pay attention to any new attacks that are discovered in the wild.
5. Be sure to update your phone as soon as Apple makes a patch available.

Finally, if you do want to jailbreak your phone, make sure to install this tool to warn you every time an application on your phone attempts to open a PDF.

Be sure to check back often, as we’ll be posting updates as this security issue develops.

Hello.  I’m Tim, and I lead the Security Response Team here at Lookout.

Last week, we talked about a series of Android wallpaper apps that were collecting the phone number, IMSI, and voicemail number from devices and sending them to a remote server over insecure communication channels.  As reported today, Google released these apps back into the Android Market as “there is no obvious malicious code … though the implementation accesses data that it doesn’t need to.”

We’ve been in touch with the developer, and shared with him some recommendations to better protect his users’ privacy.  As we’ve seen, it’s entirely possible to inadvertently put sensitive data at risk without malicious intent.  Rather, developers sometimes do not understand the sensitivity of data that they collect, or the risks inherent in handling that data.

Mobile platforms grant developers access to sensitive data about users, their devices, and their associates. Developers must maintain awareness and act as responsible stewards of the data they’re granted access to.  This is not a new problem — application developers have to contend with handling sensitive data on any platform they develop for.  Smartphone platforms make it easier than ever to access caches of sensitive information, though, and it’s easy to make mistakes.  We’d like to suggest a few “best practices” developers should keep in mind as they create new mobile apps.

• Know exactly what private user and device data you are collecting and understand what that data is.
• Only collect the data you need for your app.
• If you use an advertising SDK, analytics SDK or other 3rd party code in your application, make sure you understand what information it collects and transmits.
• Do not transmit private user or device data over an unencrypted communications channel.  Always use HTTPS/TLS to secure network communications when private data is in motion.
• Consider alternatives to using private user data where possible.  For instance, if you are collecting the device’s primary phone number, IMEI, or IMSI as a unique identifier to save user settings, consider using a one-way hash or a Globally Unique Identifier (GUID) generation scheme that is related to, but does not directly disclose these pieces of data.

Finally, be careful that you don’t disclose data via inappropriate side channels such as shared system logs.  Check logs and audit debug statements to make sure you are not inadvertently disclosing user or device data in released code.

Consider the following code that interacts with Android’s device location provider:

As developers, we often use logging APIs as an easy means to monitor an application’s execution state while debugging.  Access to shared logs on Android is governed by a completely different permission than, for example, access to coarse or fine location data.  Putting that information into shared logs leaks data across boundaries established by the permission model.  Logging data about contacts, browsing history, call history, SMS, and other sensitive user/device data similarly violates the permission model and developers should be extremely careful not to do so.

The world of mobile app development is experiencing explosive growth.  Smartphone platforms are new and exciting and (in some respects) make application development easier than ever before.  As we dive into these new platforms, we need to be aware of the sensitive data we’re accessing and handle it with care.  We all share responsibility for keeping the mobile ecosystem safe and secure.

This week at Blackhat, we released the first findings from the App Genome Project.  Our goal with this research is to help make people aware of the capabilities of mobile apps so that they can be vigilant while downloading.  Mobile applications on all platforms–iPhone, BlackBerry, Android, and Symbian–can potentially gather sensitive data from users and we think it’s important that both developers and users act responsibly.  The Android permission model, for example, takes steps to inform users of the capabilities of apps, including what personal data the app could be accessing, thus empowering users to evaluate the apps they download and make good decisions.

During our research, we found series of wallpaper applications in the Android Market are gathering seemingly unnecessary data.  The wallpaper applications that we analyzed transmitted several pieces of sensitive data to a server over an unencrypted network connection.  The data included the device’s phone number, subscriber identifier (e.g. IMSI), and the currently entered voicemail number on the phone (see below for technical details).  While this sort of data collection from a wallpaper application is certainly suspicious, there’s no evidence of malicious behavior.  There have been cases in the past on other mobile platforms where well-intentioned developers are simply over-zealous in their data gathering, without having malicious intent.

The wallpaper apps that we analyzed came from two developers “jackeey,wallpaper” (whose developer name has changed to “callmejack” since we originally released our research) and “IceskYsl@1sters!”.  According to androlib, applications from “jackeey,wallpaper” are estimated to have been download 1-4 million times.

(more…)

Click to enlarge infographic

The App Genome Project

This week at the Black Hat Security Conference, Lookout will unveil the App Genome Project, which is the largest mobile application dataset ever created. In an ongoing effort to map and study mobile applications, the App Genome Project was created to identify security threats in the wild and provide insight into how applications are accessing personal data, as well as other phone resources. Lookout founders John Hering and Kevin Mahaffey initiated the App Genome project to understand what mobile applications are doing and use that information to more quickly identify potential security threats.

Early Findings

Early findings show differences in the sensitive data that is being accessed by Android and iPhone applications, as well as a proliferation of third party code in applications across both platforms.  Stats include:

• 29% of free applications on Android have the capability to access a user’s location, compared with 33% of free applications on iPhone
• Nearly twice as many free applications have the capability to access user’s contact data on iPhone (14%) as compared to Android (8%)
• 47% of free Android apps include third party code, while that number is 23% on iPhone*

* Examples of third party code includes code that enables mobile ads to be served and analytic tracking for developers.

New Security Vulnerabilities

Lookout will also be announcing new security vulnerabilities including Mobile Data Leakage,which occurs when developers inadvertently expose sensitive data in application logs in a way that makes it accessible to malicious applications. In one instance of this vulnerability, Android was releasing user location data into logs in a way that made it accessible to other applications. That vulnerability has been addressed by Google and is fixed in all versions of Android, v.2.2 and beyond.

This vulnerability and others point to the need for developers to be more aware of best practices for accessing, transmitting and storing users’ personal data. In addition, consumers need to be aware of the permissions that mobile applications request and how that personal data is being used in the application.

More detailed information on the App Genome project and more detail on vulnerabilities will be discussed in their two dedicated sessions at Black Hat this week. They will also be providing recommendations for OEM’s, carriers and developers on how to improve security across the mobile ecosystem.