the lookout security platform - milanconsult€¦ · security researchers spend hours dissecting...
TRANSCRIPT
![Page 1: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/1.jpg)
Whitepaper übergeben durch Partner:
The Lookout Security Platform Advanced Mobile Threat Protection Through
Predictive Cybersecurity
![Page 2: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/2.jpg)
Whitepaper übergeben durch Partner:
Table of Contents
I The Road to Predictive Security
a. Cyberattack Economics
b. Signature and Behavioral Analysis Limitations
c. Toward Predictive Security
II The Lookout Security
Platform III App Analysis
Architecture
a. Acquisition
b. Enrichment
c. Analysis
d. Protection
IV Device Analysis
Architecture V Predictive
Security in Action
a. FireTalk
b. BadNews
VI Conclusion
lookout.com 2
![Page 3: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/3.jpg)
Whitepaper übergeben durch Partner:
lookout.com 3
I. The Road to Predictive Security
Cyberattack Economics
Given the recent spate of cyberattacks, one might conclude
these attacks are the unavoidable consequence of living in a
highly digital, connected world. At Lookout, however,
we reject this notion. We believe that these events reflect a
fundamental imbalance in the economics of cyberattacks that
currently favors attackers. The path toward a better future
lies in disrupting this asymmetry by dramatically raising the
cost of attacks through better predictive security.
Currently, it takes enormous effort to reverse engineer
and remediate a cyberattack and only minimal effort for
attackers to modify their code and infrastructure to
successfully evade detection. A 2014 study found that the
average cyberattack costs organizations $12.7 million1.
While difficult to quantify attacker costs, it’s clear that
attackers invest a pittance compared to the billions of dollars
spent on digital security and the countless hours
organizations spend investigating and remediating breaches.
What explains this relatively low cost of attack? An industry
overreliance on signatures and behavioral analysis detection
models has much to do with the problem. While both
security approaches remain important to a multilayered
security defense, recent cyberattacks have exposed their
limitations and the ease with which skilled attackers can
evade these defense mechanisms.
Limitations of Signatures & Behavioral Analysis
Gartner estimates that globally organizations spent $71.1
billion on information security in 20142 and a significant
portion of that spend goes toward threat detection
technologies. Today, most threat detection systems rely on
signatures and/or virtualized behavioral analyses, and both
approaches have notable blind spots and limitations.
Signatures can effectively block simplistic, unchanging
attacks, but can’t scale with the pace of malicious software
development and routinely miss advanced attacks. Typically,
security researchers spend hours dissecting new malicious
code to understand its identifying characteristics and then
create signatures to flag these characteristics in future
threats. Unfortunately, humans can’t scale at the rate of
software development and the increasing sophistication
and volume of malware means signature-based models
will increasingly miss advanced threats. In 2014 Lookout
observed an overall increase in threat sophistication,
including evidence that attackers may have compromised
mobile supply chains and pre-loaded malware on some
factory-shipped devices.3
1 “2014 Cost of Cyber Crime Study: United States.” The Ponemon Institute. Oct 2014. 2 “Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware.”
Gartner. Aug 22, 2014. 3 “2014 Mobile Threat Report.” Lookout. Jan. 2014.
SIGNATURES
CONS
Can’t scale; overly reliant on humans
Brittle and easily evadable
![Page 4: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/4.jpg)
Whitepaper übergeben durch Partner:
lookout.com 4
Additionally, because of their code-level specificity
and dependencies on 1:1 matches, attackers can
break signatures fairly easily. Small modifications
to malicious code will alter a signature pattern or
cryptographic hash, rendering it useless. Consider
the ease with which an attacker can break the
following sequence-based signatures:
custom malware installed by the attacker, the Times’
signature-based detection technology caught and
quarantined only one of those 45 instances.4
Behavioral analysis detection models tend to fare better than
signatures against advanced attacks given the increased
difficulty of obscuring malicious behavior.
Table 1: Example of Signature Limitations
SIGNATURE POST ATTACKER MODIFICATION
Status Effective Broken
Signature 1 \x00>apkFile and apkFile1 Already rooted
or already have ==> return\x00
\x00>apkFile and apkFile1 Already rooted
or already have _ ==> return\x00
Signature 2
\x00\x00\x00AndroidRTService.apk\x00
\x00\x00\x00AndroidRTSXervice.apk\x00
With the simple addition of the character “X” and a space,
literally two keystrokes, an attacker can recycle their code and
evade these signatures that may have resulted from hours of
human research and code analysis. Of course, knowing
which specific code sequences to change can prove
challenging, but attackers can automate this evasion process
with the use of code obfuscation algorithms that will reorder,
rename, and/or insert garbage (filler) sequences to throw off
signatures and can also leverage tools to automatically test
their evasive code against existing signatures.
One recent cyberattack in particular illustrated the
limitations of signature-based detection models. When the
New York Times computer systems came under attack
from hackers reportedly from China, subsequent
investigation revealed that among the 45 instances of
This detection approach, however, also has limitations. Namely,
it tends to produce more false positives, creating excessive
noise that can cause organizations to lose or overlook important
signals surfaced by the detection model.
4 “Hackers in China Attacked The Times for Last 4 Months.” New York Times. Jan. 30, 2014.
BEHAVIORAL ANALYSIS
CONS
Lacks context; false positive prone
Misses advanced, latent threats
![Page 5: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/5.jpg)
Whitepaper übergeben durch Partner:
5 “Target says it declined to act on early alert of cyber breach.” Reuters. Mar. 13,
2014.
lookout.com 5
While behaviors can signal malicious activity, most
behavioral analysis models lack the context to consistently
differentiate between malicious and non-malicious intent
behind behaviors. Consider the table below showing
the permissions and corresponding contact-exfiltration
behaviors of two different Android applications:
disguised as a VoIP app first detected by Lookout.
This example illustrates how pure behavioral analysis
approaches to security often lack the context to accurately
assess behaviors. Like an overly sensitive smoke alarm, the
lack of precision in these systems means they run the risk of
failing to highlight the true signal amidst the noise they
Table 2: Example Behavioral Analysis Limitations
APP 1
APP 2
Flagged
Behavio
r
Yes
Yes
Sample
• android.permission.READ_CONTACTS
• android.permission.READ_CONTACTS
Permissions • android.permission.ACCESS_NETWORK_STATE • android.permission.WRITE_CONTACTS
• android.permission.ACCESS_FINE_LOCATION • android.permission.ACCESS_NETWORK_STATE
• android.permission.READ_CALENDAR • android.permission.ACCESS_FINE_LOCATION
Behavior
Sends device contacts to server
Sends device contacts to server
Both apps, executed in a virtual environment, would access
device contacts, network state and GPS location and a
behavioral analysis model that classifies “device contact
access and exfiltration” as bad behavior would alert on both
apps. But do both apps represent threats? Does it matter that
App 1 accesses device calendar data and App
2 does not? It’s difficult for automated systems to make
these calls without an understanding of the context of each
app’s behavior.
App 1 in this example, however, is a benign social
networking application and App 2 is MalApp.D, malware
create. Some security experts, for example, have posited that
although the breach of Target’s credit card triggered security
alerts in their system, their importance was not recognized
amidst possibly hundreds of other security alerts generated
on a daily basis.5
Lastly, behavioral analysis detection models only provide a
snapshot of behavior at a specific point in time and this
creates blind spots. Sophisticated attackers can evade
detection by temporarily suppressing malicious behavior or
creating multi-stage threats that bypass analysis and then
download malicious payloads. Lookout, for instance,
![Page 6: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/6.jpg)
Whitepaper übergeben durch Partner:
lookout.com 6
detected BadNews, a mobile threat that successfully
bypassed a major app store’s security analysis by posing as
an ad network, only to later use their capabilities to prompt
users to download malware disguised as “updates.”6
Other mobile threats have demonstrated an ability to
suppress malicious behavior for up to 30 days to evade
behavioral detection.7 Researchers continually uncover
additional ways for clever attackers to evade behavioral
detection by detecting the virtual environment itself,
cueing their attack on behavior that a user would
perform that an analysis environment does not emulate
(e.g. scrolling down on a document), or laying dormant
on a particular targeted system.
Toward Predictive Security
Threat detection is fundamentally an exercise in prediction.
Security systems detect threats by taking available
information (inputs) and returning an assessment of risk
(outputs) according to an analysis model. Signature and
behavioral analysis models, however, fall short of true
predictive security. Signatures require threat encounters
before they can predict (identify) threats and behavioral
analysis predictions lack precision and can also fail to
predict more advanced threats that obscure or suppress their
behavior. In short, organizations face a basic tradeoff when
adopting these security models:
• Signature models reduce false positives at the
expense of false negatives
• Behavioral models reduce false negatives at the
expense of false positives
These tradeoffs come from these models’ use of limited
datasets and their corresponding inability to assess
a potential threat’s relation to the world of known code
beyond signatures and behaviors. No matter how
sophisticated the algorithms used, these security models will
continue to suffer from this tradeoff on account of their
limited data inputs.
True predictive security requires real-time security
telemetry from a global population of devices and the
use of machines to sift through this dataset to identify
complex risk correlations that would otherwise evade
human analysis and basic 1:1 pattern matching. The real
promise of a predictive security model is that it can detect
threats where no prior signatures exist and before threats
exhibit malicious behavior.
With this promise in mind, Lookout has designed and built
the Lookout Security Platform.
II The Lookout Security Platform
Introduction
The Lookout Security Platform is a cloud-based platform
that detects and stops both mainstream and advanced mobile
threats. The platform uses a predictive security model that
enables threat detection even in cases where no prior
signatures exist and before threats exhibit malicious
behavior. It protects mobile endpoints and infrastructures
from app and device-based threats, enables deep threat
investigation, and ultimately powers a wide range of
Lookout product offerings.
6 “The Bearer of Bad News.” Lookout. Apr. 19, 2013. 7 “Apps on Google Play Pose As Games and Infect Millions of Users with Adware.” Avast. Feb. 3, 2015.
![Page 7: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/7.jpg)
Whitepaper übergeben durch Partner:
lookout.com 7
Figure 1: The Lookout Security Platform and Product Architecture
CONSUMER PRODUCT ENTERPRISE PRODUCT
To be clear, Lookout’s platform incorporates signatures
and behavioral analyses into its security stack to achieve
defense-in-depth capabilities. It goes beyond these
traditional detection techniques, however, in its use of
real-time security telemetry and machine intelligence to
automatically correlate the security signals from every
device and app it encounters across multiple dimensions to
track existing threats and predict novel threats.
III App Analysis Architecture
The diagram on the following page depicts the architecture of
the platform’s app-based threat detection capabilities.
This architecture follows a four-step process:
• Data Acquisition
• Data Enrichment
• Data Analysis
• Protection
LOOKOUT SECURITY PLATFORM
Lookout Mobile
Security (LMS)
iOS
Lookout Mobile
Security (LMS)
Android
Mobile Threat
Protection(MTP)
iOS
App Vetting API
Mobile Threat
Protection (MTP) Android
Mobile
Intelligence
Center (MIC)
![Page 8: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/8.jpg)
Whitepaper übergeben durch Partner:
lookout.com 8
Figure 2: The Lookout Security Platform App Analysis Architecture
![Page 9: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/9.jpg)
Whitepaper übergeben durch Partner:
lookout.com 9
i. Acquisition
The platform collects real time security telemetry on
mobile applications from a variety of sources:8
Mobile Sensor Network More than 60 million
registered mobile devices worldwide provide Lookout with
a comprehensive, real-time view into threats on just one
device or millions. Lookout’s app binary acquisition
process spreads the load among multiple devices to limit
battery and data impact, reassembling the app fragments in the
cloud and preserving end-user privacy by only collecting
application binaries, not user personal data (e.g. photos,
messages) generated in the course of using these applications.
Crawling Lookout continually monitors the major and
minor app stores of the world, including app stores in
countries such as China, Russia, and India. Lookout’s
crawling technology also enables app acquisition from ad
hoc web sources.
App Vetting API By serving as the exclusive security
layer for some of the world’s largest app stores, the Lookout
Security Platform has privileged access to malware
submitted to these stores that never sees the light of day.
8 Lookout’s platform is aware of the presence of 67,500,000 unique app binaries in the world, counted by cryptographic hash.
This include both system apps (apps that are part of the operating system) as well as user-downloaded apps, and counts each version of
an app as a unique app instance.
AT A GLANCE
Registered mobile sensors
60+ million
worldwide
App Vetting
API Partners
Many, including some of the world’s
largest app stores
Unique app binaries detected8
67,500,000
Unique app binaries acquired
11,000,000
Unique app
binaries detected
on only one device worldwide
875,000
Apps
acquired daily
10,000+
![Page 10: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/10.jpg)
Whitepaper übergeben durch Partner:
lookout.com 10
![Page 11: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/11.jpg)
Whitepaper übergeben durch Partner:
lookout.com 10
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
The following table highlights the types of data collected from mobile sensors in this acquisition funnel:
Table 3: Mobile Sensor Data Collection
TYPE ANDROID/iOS SCOPE
Application
Cryptographic hash Android + iOS All device apps.
Package name Android + iOS All device apps.
Apk9 file Android Only apps not recognized by
Lookout’s platform
.Ipa file metadata
• Bundle ID
• Team ID
iOS Only non-Apple App Store or
enterprise-signed apps not recognized
by Lookout’s platform.
With respect to the collection of data directly from
endpoint mobile devices, the Lookout Security Platform
takes precautions to ensure it protects user privacy.
For its consumer application, Lookout obtains consent
before collecting security telemetry and offers users the
right to opt-out of this data collection. For Lookout’s
enterprise client, use of the product is conditional on
sharing this security telemetry, which is required by
Lookout to protect organizations. To reiterate, Lookout
never collects personal data generated by users on their
devices, such as images, audio, video, or text and also
never uses collected security telemetry to identify
individual users unless a user specifically requests
contact regarding a security issue.
9 APK = Android Application Package, the package file format used to distribute and install app software onto Android devices.
![Page 12: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/12.jpg)
Whitepaper übergeben durch Partner:
lookout.com 11
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
ii. Enrichment
Each app acquired by Lookout’s platform undergoes a
unique enrichment process that characterizes how it works
and accurately relates it to the world of known applications:
Metadata Lookout appends data that includes app name,
digital signature, app store description, and developer name.
Reputation Lookout incorporates data related to the
authorship, origin, and geo-historical distribution of an app,
such as the duration and location of its popularity.
Behavior The platform generates app behavior data,
generated through dynamic and symbolic execution
technologies that run the app in a simulated environment
and analyze the capabilities of its code. • Package name: com.android.service
• Signer: bb626d3b8406e7fc330d0f4b304cbfc5f610721f
• CN=Dragon, L=SZ, ST=GZ, C=CN
• Packaged date: 2012-09-20 18:36:44 UTC
• Signed date: 2012-09-20 18:36:42 UTC
examples
REPUTATION RESULTS:
• 95% of known APKs that use this signer are malware
examples
• write_file (Osiris[0.1.217])
• read_contacts (Static Behavior Extraction[3.1.469])
• write_contacts (Static Behavior Extraction[3.1.469])
• read_sms (Static Behavior Extraction[3.1.469])
• read_imsi (Static Behavior Extraction[3.1.469])
examples
![Page 13: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/13.jpg)
Whitepaper übergeben durch Partner:
lookout.com 12
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
App Genome Sequencing™ Analysis The platform
automatically assesses the fuzzy code similarity an app shares
with all known code in Lookout’s mobile intelligence dataset. It
reveals where that app’s code (or its relatives) appear in the
world by analyzing approximate similarity between
individual code classes and then computing an aggregate
similarity score.
examples
INDEX CLASS: SCORE:
• Lorg/linphone/MapAPP$1$1; 0.9433
• Lorg/linphone/MapAPP; 0.9846
• Lorg/linphone/util/Constant; 1.0000
• Index match: 0.9923
Lookout holds patents related to its App Genome
Sequencing™ technology, which is one of the key
differentiating technologies that powers Lookout’s
predictive security model. Whereas attackers can evade
signatures by changing a single line of code, App Genome
Sequencing technology does not depend on precise 1:1
matches and can instead assess approximate match scores at
both a granular (class or code block) and holistic (app) level.
This dramatically raises the cost of attack because
it requires attackers to essentially start from scratch and
overhaul their entire code base to evade detection.
Even some of the less powerful enrichment technologies can
play a key role in identifying and tracking malicious code by
adding relevant data points to feed Lookout’s Helix™
security engine and enable it to find more complex,
multidimensional correlations.
![Page 14: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/14.jpg)
Whitepaper übergeben durch Partner:
lookout.com 13
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
iii. Analysis
Lookout’s Helix™ security engine ingests the data
generated by the platform’s acquisition and enrichment
processes and then automatically compares these data points
to the hundreds of millions of data points in Lookout’s
mobile intelligence dataset. Multidimensional threat
correlation makes the platform substantially harder to evade
because it requires attackers to re-implement their entire
platform and command and control infrastructure, instead of
simply changing the few components that match a signature
or obscuring the malicious activity that would trigger an
alert. In the event that the Lookout Security Platform finds
no correlations the platform relies on a
risk-scoring model, taking inputs from the enrichment and
analysis processes to predict zero-day threats.
The stunning breadth and complexity of the multidimensional
correlations generated by the Helix security engine far outpace
the capacities of human analysts and behavioral analysis
models alone. Consider the diagrams on the following pages
that visualize these correlations for two distinct malware
families, Mouabad and NotInstalledYo.
![Page 15: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/15.jpg)
Whitepaper übergeben durch Partner:
lookout.com 14
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
Figure 3: Multidimensional Threat Correlation Analysis of Mouabad Malware Family
This diagram shows samples of the Mouabad
mobile malware family, correlated by shared
signer, IP communications, and binary similarity
as calculated by the platform’s App Genome
Sequencing technology. Mouabad is a family of
trojans that enable third party control over a
compromised device, allowing remote attackers
to send premium rate SMS messages and
engage in remote dialing activities.
![Page 16: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/16.jpg)
Whitepaper übergeben durch Partner:
lookout.com 15
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
Figure 4: Multidimensional Threat Correlation Analysis of NotInstalledYo Malware Family.
This diagram shows samples of the NotInstalledYo mobile malware family, correlated by shared signers and
binary similarity as calculated by the platform’s App Genome Sequencing technology. The node at the center of
this galaxy represents a widely shared signer that uses a compromised signing key. NotInstalledYo is a family of
spyware that intercepts SMS messages on victimized devices and forwards them to attackers.
Figure 4.1: Red Zone Enlarged
Samples that share a high degree of binary similarity are grouped by color and nodes to which multiple colored
nodes connect signify a shared signer amongst those samples.
![Page 17: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/17.jpg)
Whitepaper übergeben durch Partner:
lookout.com 16
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
iv. Protection
The output of Lookout’s platform is a dynamic security
decision that identifies evolving known threats as well as
unique, targeted attacks. When the platform detects novel
threats it automatically initiates an investigative process,
alerting Lookout’s Research and Response team to further
investigate the operation and motivation of attackers, take
remedial action such as issue server takedown requests,
and ensure that relevant partners, customers and organizations
take remedial action if needed.
![Page 18: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/18.jpg)
Whitepaper übergeben durch Partner:
lookout.com 17
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
IV Device Analysis Architecture
Figure 5: The Lookout Security Platform Device Analysis Architecture
To protect the underlying security of mobile devices from
threats such as malicious rooting and jailbreaking, the
Lookout Security Platform collects a range of device
security telemetry to form a digital fingerprint of each
device. This security telemetry includes:
a. OS/Firmware data - OS file metadata, such as
the file name and hash
b. Configuration data - system properties of the
OS configuration
c. Device data - device identifier information,
for device remediation purposes
After collecting this data the platform then re-assembles
it in the cloud to form a device fingerprint. It correlates
the various data points of this fingerprint against
Lookout’s mobile intelligence dataset to identify when a
device is vulnerable or has been compromised, and can
also predict device risk based on anomalies or
correlations to known signals of compromise. When the
platform detects a compromised device it executes
remedial action through an integrated Mobile Device
Management (MDM) client.
Today, most device compromise detection models rely
on a handful of point tests, hard coded on the mobile
client. Attackers have identified and successfully
deconstructed these point tests and devised
![Page 19: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/19.jpg)
Whitepaper übergeben durch Partner:
lookout.com 18
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
countermeasures to easily evade them. Lookout’s detection
model, however, differs substantially from these approaches
in that it collects a holistic fingerprint of the device profile
and sends it up to the cloud to analyze on the server-side.
Lookout’s security model offers two key advantages: instead
of reverse-engineering a few client-side point tests, to evade
Lookout, attackers need to mimic the entire device state and
its corresponding signals, which significantly raises
the cost of attack. In addition, the server-side analysis also
inhibits attackers from easily reverse-engineering Lookout’s
detection methodology.
V Predictive Security in Action
The following threat detections demonstrate how the Lookout
Security Platform has delivered on the promise of predictive
security and can detect threats for which no prior signatures
exist and can even detect threats before they exhibit
malicious behavior.
Case Study 1: BadNews
Consider the case of BadNews, a malicious mobile ad
network. Lookout found BadNews embedded in 32 different
apps that were live in Google Play and had received
millions of downloads. BadNews enabled the installation of
additional APKs and could open URLs in the browser,
although it exhibited neither of these behaviors at the time
of discovery. The Lookout Security Platform, however,
detected that BadNews contained code that shared
statistically significant correlations to known Russian
malware and, in a pre-crime maneuver, proactively protected
Lookout-enabled devices.
Post protection, Lookout continued to monitor BadNews in
the wild and later observed it distributing new zero-day
trojans via the APK installation functionality. Notably,
BadNews only engaged in this malicious activity for five
minutes a day, effectively disguising its activity from
sandboxed security environments where isolated,
point-in-time behavioral analyses would not detect the activity.
To read more about BadNews, please visit our blog:
blog.lookout.com/blog/2013/04/19/the-bearer-of-
badnews-malware-google-play
Case Study 2: MalApp.D
The power of a predictive security model is evident in
Lookout’s detection of MalApp.D, a mobile threat that
matched no prior signature nor engaged in overtly malicious
behavior, but nonetheless put enterprise contact data and voice
communications at risk.
MalApp.D was embedded in a seemingly benign VoIP app
that was live in the Google Play Store at the time of Lookout’s
detection. With a handful of positive reviews and a 4.2 star
rating, the app appeared legitimate.Through multidimensional
correlation, however, Lookout’s platform revealed that this
VoIP app was likely developed by a known author of mobile
malware and it therefore posed an unacceptable risk to
enterprises given its access to device contacts and potential call
recording capabilities.
To read more about MalApp.D, please visit our website:
www.lookout.com/resources/reports/malapp
![Page 20: The Lookout Security Platform - milanconsult€¦ · security researchers spend hours dissecting new malicious code to understand its identifying characteristics and then create signatures](https://reader030.vdocument.in/reader030/viewer/2022041104/5f045c757e708231d40d9975/html5/thumbnails/20.jpg)
Whitepaper übergeben durch Partner:
lookout.com 19
Sie haben Fragen oder möchten einen Webcast? Sprechen Sie mit unserem autorisierten Lookout-Partner:
milan|consult GmbH · Waaghausstr. 18 · 78532 Tuttlingen · mail: [email protected] · www.milanconsult.de
VI Conclusion
The Lookout Security Platform analyzes potential mobile
threats not in the context of a single server, a single device,
or a single application, but in the context of global mobile
devices and code. Lookout’s predictive security model
enables more reliable tracking of existing threats and more
precise predictions of zero day threats.
Yet, predictive security models only work if they
can draw on global context. The continued failure of
signatures and behavioral analysis alone to consistently
identify threats without oceans of false positives or false
negatives reveals the critical importance of having large,
contextual data sets. Lookout’s platform excels at finding
the signal amid the noise because it has unprecedented
insight into the code, both apps and firmware, running on
tens of millions of devices around the planet. This massive
dataset produces hundreds of millions of datapoints that the
platform can use to correlate and predict security threats and
risks.
Predictive security models require machine intelligence to
identify exceedingly complex correlations and risk signals
that humans cannot possibly identify at scale. Today, most
detection systems excel only at identifying the bank robber
who has already hit the vault. We should instead use the
deluge of data available to us to predict the next bank
robber based on their correlations across multiple
dimensions to known bad actors.