WHITEPAPER

THE LOOKOUT
SECURITY PLATFORM
Advanced mobile threat protection
through predictive cybersecurity

WHITEPAPER

Table of Contents
1. The Road to Predictive Security

a. Cyberattack Economics
b. Signature and Behavioral
Analysis Limitations
c. Toward Predictive Security

2. The Lookout Security Platform

3. App Analysis Architecture

a. Acquisition
b. Enrichment
c. Analysis
d. Protection

4. Device Analysis Architecture

5. Predictive Security in Action

a. FireTalk
b. BadNews

6. Conclusion

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

I. The Road to Predictive Security

CYBERATTACK ECONOMICS

LIMITATIONS OF SIGNATURES & BEHAVIORAL ANALYSIS

Given the recent spate of cyberattacks, one

Gartner estimates that globally organizations spent

might conclude these attacks are the unavoidable

$71.1 billion on information security in 20142 and a

consequence of living in a highly digital, connected

significant portion of that spend goes toward threat

world. At Lookout, however, we reject this notion.

detection technologies. Today, most threat detection

We believe that these events reflect a fundamental

systems rely on signatures and/or virtualized

imbalance in the economics of cyberattacks that

behavioral analyses, and both approaches have

currently favors attackers. The path toward a better

notable blind spots and limitations.

future lies in disrupting this asymmetry by dramatically

raising the cost of attacks through better predictive

Signatures can effectively block simplistic, unchanging

security.

attacks, but cant scale with the pace of malicious

Currently, it takes enormous effort to reverse engineer

and remediate a cyberattack and only minimal effort
for attackers to modify their code and infrastructure
to successfully evade detection. A 2014 study found
that the average cyberattack costs organizations $12.7
million1. While difficult to quantify attacker costs, its
clear that attackers invest a pittance compared to the
billions of dollars spent on digital security and the
countless hours organizations spend investigating and
remediating breaches.
What explains this relatively low cost of attack? An
industry overreliance on signatures and behavioral
analysis detection models has much to do with the
problem. While both security approaches remain

software development and routinely miss advanced

attacks. Typically, security researchers spend hours
dissecting new malicious code to understand
its identifying characteristics and then create
signatures to flag these characteristics in future
threats. Unfortunately, humans cant scale at the
rate of software development and the increasing
sophistication and volume of malware means
signature-based models will increasingly miss
advanced threats. In 2014 Lookout observed an overall
increase in threat sophistication, including evidence
that attackers may have compromised mobile supply
chains and pre-loaded malware on some factoryshipped devices.3

important to a multilayered security defense, recent

cyberattacks have exposed their limitations and the

SIGNATURES

ease with which skilled attackers can evade these

defense mechanisms.

Cant scale; overly reliant on humans

CONS
Brittle and easily evadable

2014 Cost of Cyber Crime Study: United States. The Ponemon Institute. Oct 2014.
Gartner Says Worldwide Information Security Spending Will Grow Almost 8 Percent in 2014 as Organizations Become More Threat-Aware.
Gartner. Aug 22, 2014.
3
2014 Mobile Threat Report. Lookout. Jan. 2014.
1
2

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

Additionally, because of their code-level specificity

under attack from hackers reportedly from China,

and dependencies on 1:1 matches, attackers can

subsequent investigation revealed that among the 45

break signatures fairly easily. Small modifications

instances of custom malware installed by the attacker,

to malicious code will alter a signature pattern or

the Times signature-based detection technology

cryptographic hash, rendering it useless. Consider

caught and quarantined only one of those 45

the ease with which an attacker can break the

instances.4

following sequence-based signatures:

Table 1: Example of Signature Limitations

SIGNATURE

POST ATTACKER MODIFICATION

EFFECTIVE

BROKEN

Signature 1

\x00>apkFile and apkFile1 Already rooted or

already have ==> return\x00

\x00>apkFile and apkFile1 Already rooted or

already have _ ==> return\x00

Signature 2

\x00\x00\x00AndroidRTService.apk\x00

\x00\x00\x00AndroidRTSXervice.apk\x00

Status

With the simple addition of the character X and a

Behavioral analysis detection models tend to fare

space, literally two keystrokes, an attacker can recycle

better than signatures against advanced attacks

their code and evade these signatures that may have

given the increased difficulty of obscuring malicious

resulted from hours of human research and code

behavior. This detection approach, however, also has

analysis. Of course, knowing which specific code

limitations. Namely, it tends to produce more false

sequences to change can prove challenging, but

positives, creating excessive noise that can cause

attackers can automate this evasion process with the use

organizations to lose or overlook important signals

of code obfuscation algorithms that will reorder, rename,

surfaced by the detection model.

and/or insert garbage (filler) sequences to throw off

signatures and can also leverage tools to automatically

BEHAVIORAL ANALYSIS

test their evasive code against existing signatures.

One recent cyberattack in particular illustrated the
limitations of signature-based detection models.

Lacks context; false positive prone

CONS

When the New York Times computer systems came

Misses advanced, latent threats

Hackers in China Attacked The Times for Last 4 Months. New York Times. Jan. 30, 2014.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

While behaviors can signal malicious activity, most

malware disguised as a VoIP app first detected by

behavioral analysis models lack the context to

Lookout. This example illustrates how pure behavioral

consistently differentiate between malicious and non-

analysis approaches to security often lack the context

malicious intent behind behaviors. Consider the table

to accurately assess behaviors. Like an overly sensitive

below showing the permissions and corresponding

smoke alarm, the lack of precision in these systems

contact-exfiltration behaviors of two different Android

means they run the risk of failing to highlight the true

applications:

signal amidst the noise they create. Some security

experts, for example, have posited that although the

Table 2: Example Behavioral Analysis Limitations

Flagged
Behavior

Sample
Permissions

Behavior

APP 1

APP 2

YES

YES

android.permission.READ_CONTACTS
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CALENDAR

android.permission.READ_CONTACTS
android.permission.WRITE_CONTACTS
android.permission.ACCESS_NETWORK_STATE
android.permission.ACCESS_FINE_LOCATION

Sends device contacts to server

Sends device contacts to server

Both apps, executed in a virtual environment, would

breach of Targets credit card triggered security alerts

access device contacts, network state and GPS

in their system, their importance was not recognized

location and a behavioral analysis model that classifies

amidst possibly hundreds of other security alerts

device contact access and exfiltration as bad

generated on a daily basis.5

behavior would alert on both apps. But do both apps

represent threats? Does it matter that App 1 accesses
device calendar data and App 2 does not? Its difficult
for automated systems to make these calls without an
understanding of the context of each apps behavior.

Lastly, behavioral analysis detection models only

provide a snapshot of behavior at a specific point
in time and this creates blind spots. Sophisticated
attackers can evade detection by temporarily
suppressing malicious behavior or creating multi-

App 1 in this example, however, is a benign social

stage threats that bypass analysis and then download

networking application and App 2 is MalApp.D,

malicious payloads. Lookout, for instance, detected

Target says it declined to act on early alert of cyber breach. Reuters. Mar. 13, 2014.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

BadNews, a mobile threat that successfully bypassed

to assess a potential threats relation to the world

a major app stores security analysis by posing as

of known code beyond signatures and behaviors.

an ad network, only to later use their capabilities to

No matter how sophisticated the algorithms used,

prompt users to download malware disguised as

these security models will continue to suffer from this

updates. Other mobile threats have demonstrated

tradeoff on account of their limited data inputs.

an ability to suppress malicious behavior for up to

30 days to evade behavioral detection. Researchers
continually uncover additional ways for clever
attackers to evade behavioral detection by detecting
the virtual environment itself, cueing their attack on
behavior that a user would perform that an analysis
environment does not emulate (e.g. scrolling down
on a document), or laying dormant on a particular
targeted system.

True predictive security requires real-time security

telemetry from a global population of devices and the
use of machines to sift through this dataset to identify
complex risk correlations that would otherwise evade
human analysis and basic 1:1 pattern matching. The
real promise of a predictive security model is that it
can detect threats where no prior signatures exist and
before threats exhibit malicious behavior.
With this promise in mind, Lookout has designed and

TOWARD PREDICTIVE SECURITY

built the Lookout Security Platform.

Threat detection is fundamentally an exercise in

prediction. Security systems detect threats by
taking available information (inputs) and returning
an assessment of risk (outputs) according to an
analysis model. Signature and behavioral analysis

II. The Lookout Security Platform

models, however, fall short of true predictive security.

INTRODUCTION

Signatures require threat encounters before they

The Lookout Security Platform is a cloud-based

can predict (identify) threats and behavioral analysis

platform that detects and stops both mainstream

predictions lack precision and can also fail to predict

and advanced mobile threats. The platform uses

more advanced threats that obscure or suppress their

a predictive security model that enables threat

behavior. In short, organizations face a basic tradeoff

detection even in cases where no prior signatures

when adopting these security models:

exist and before threats exhibit malicious behavior. It

Signature models reduce false positives at the

expense of false negatives

protects mobile endpoints and infrastructures from

app and device-based threats, enables deep threat
investigation, and ultimately powers a wide range of

Behavioral models reduce false negatives at the

Lookout product offerings:

expense of false positives

These tradeoffs come from these models use of
limited datasets and their corresponding inability

6
7

The Bearer of Bad News. Lookout. Apr. 19, 2013.

Apps on Google Play Pose As Games and Infect Millions of Users with Adware. Avast. Feb. 3, 2015.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

Figure 1: The Lookout Security Platform and Product Architecture

ENTERPRISE PRODUCT

CONSUMER PRODUCT
Lookout Mobile
Security (LMS)
iOS

Mobile Threat
Protection(MTP)
iOS

App Vetting API

Lookout Mobile
Security (LMS)
Android

Mobile Threat
Protection (MTP)
Android

Mobile
Intelligence
Center (MIC)

LOOKOUT SECURITY PLATFORM

To be clear, Lookouts platform incorporates

signatures and behavioral analyses into its security
stack to achieve defense-in-depth capabilities. It
goes beyond these traditional detection techniques,
however, in its use of real-time security telemetry
and machine intelligence to automatically correlate
the security signals from every device and app it
encounters across multiple dimensions to track
existing threats and predict novel threats.

III. App Analysis Architecture

The diagram on the following page depicts the
architecture of the platforms app-based threat
detection capabilities. This architecture follows a
four-step process:
Data Acquisition
Data Enrichment
Data Analysis
Protection

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

Figure 2: The Lookout Security Platform App Analysis Architecture

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

i. Acquisition

The platform collects real time security telemetry on

mobile applications from a variety of sources:

MOBILE SENSOR NETWORK - More than 60 million

registered mobile devices worldwide provide Lookout

AT A GLANCE
Registered mobile
sensors

60+ million
worldwide

App Vetting
API Partners

Many, including
some of the worlds
largest app stores

Unique app
binaries detected8

67,500,000

Unique app
binaries acquired

8,300,000

Unique app
binaries detected
on only one device
worldwide

875,000

with a comprehensive, real-time view into threats on just

one device or millions. Lookouts app binary acquisition process spreads the load among multiple devices
to limit battery and data impact, reassembling the app
fragments in the cloud and preserving end-user privacy
by only collecting application binaries, not user personal
data (e.g. photos, messages) generated in the course of
using these applications.

CRAWLING -

Lookout continually monitors the major

and minor app stores of the world, including app stores

in countries such as China, Russia, and India. Lookouts
crawling technology also enables app acquisition from
ad hoc web sources.

APP VETTING API - By serving as the exclusive security

layer for some of the worlds largest app stores, the Lookout Security Platform has privileged access to malware
submitted to these stores that never sees the light of day.

Apps acquired
daily

10,000+

Lookouts platform is aware of the presence of 67,500,000 unique app binaries in the world, counted by cryptographic hash.
This include both system apps (apps that are part of the operating system) as well as user-downloaded apps, and counts each version
of an app as a unique app instance.
Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

WHITEPAPER

The following table highlights the types of data collected from mobile sensors in this acquisition funnel:
Table 3: Mobile Sensor Data Collection

TYPE

ANDROID/iOS

SCOPE

APPLICATION
Cryptographic hash

Android + iOS

All device apps.

Package name

Android + iOS

All device apps.

Apk9 file

Android

Only apps not recognized by

Lookouts platform

.Ipa file metadata

Bundle ID
Team ID

iOS

Only non-Apple App Store or

enterprise-signed apps not recognized
by Lookouts platform.

With respect to the collection of data directly from

is required by Lookout to protect organizations.

endpoint mobile devices, the Lookout Security

To reiterate, Lookout never collects personal data

Platform takes precautions to ensure it protects user

generated by users on their devices, such as images,

privacy. For its consumer application, Lookout obtains

audio, video, or text and also never uses collected

consent before collecting security telemetry and

security telemetry to identify individual users unless

offers users the right to opt-out of this data collection.

a user specifically requests contact regarding a

For Lookouts enterprise client, use of the product is

security issue.

conditional on sharing this security telemetry, which

APK = Android Application Package, the package file format used to distribute and install app software onto Android devices.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

10

WHITEPAPER

ii. Enrichment

Each app acquired by Lookouts platform undergoes

a unique enrichment process that characterizes how it
works and accurately relates it to the world of known
applications:

examples
REPUTATION RESULTS:
95% of known APKs that use this signer are malware

METADATA: Lookout appends data that includes app

name, digital signature, app store description, and developer name.

BEHAVIOR: The platform generates app behavior data,

generated through dynamic and symbolic execution

examples

technologies that run the app in a simulated environment and analyze the capabilities of its code.

Package name: com.android.service

Signer: bb626d3b8406e7fc330d0f4b304cbfc5f610721f
CN=Dragon, L=SZ, ST=GZ, C=CN

examples

Packaged date: 2012-09-20 18:36:44 UTC

BEHAVIORAL ANALYSIS RESULTS:

Signed date: 2012-09-20 18:36:42 UTC

write_file (Osiris[0.1.217])
read_contacts (Static Behavior Extraction[3.1.469])

REPUTATION: Lookout incorporates data related to the

authorship, origin, and geo-historical distribution of an
app, such as the duration and location of its popularity.

write_contacts (Static Behavior Extraction[3.1.469])

read_sms (Static Behavior Extraction[3.1.469])
read_imsi (Static Behavior Extraction[3.1.469])

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

11

WHITEPAPER

APP GENOME SEQUENCING ANALYSIS: the platform

automatically assesses the fuzzy code similarity an app
shares with all known code in Lookouts mobile intelligence dataset. It reveals where that apps code (or its
relatives) appear in the world by analyzing approximate
similarity between individual code classes and then computing an aggregate similarity score.

examples
INDEX CLASS:

SCORE:

Lorg/linphone/MapAPP$1$1;

0.9433

Lorg/linphone/MapAPP;

0.9846

Lorg/linphone/util/Constant;

1.0000

Index match:

0.9923

Lookout holds patents related to its App Genome

Sequencing technology, which is one of the key
differentiating technologies that powers Lookouts
predictive security model. Whereas attackers can
evade signatures by changing a single line of code,
App Genome Sequencing technology does not
depend on precise 1:1 matches and can instead assess
approximate match scores at both a granular (class or
code block) and holistic (app) level. This dramatically
raises the cost of attack because it requires attackers
to essentially start from scratch and overhaul their
entire code base to evade detection.
Even some of the less powerful enrichment
technologies can play a key role in identifying and
tracking malicious code by adding relevant data
points to feed Lookouts Helix security engine and
enable it to find more complex, multidimensional
correlations.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

12

WHITEPAPER

iii. Analysis

Lookouts Helix security engine ingests the

Lookout Security Platform finds no correlations the

data generated by the platforms acquisition and

platform relies on a risk-scoring model, taking inputs

enrichment processes and then automatically

from the enrichment and analysis processes to predict

compares these data points to the hundreds of

zero-day threats.

millions of data points in Lookouts mobile intelligence

dataset. Multidimensional threat correlation makes
the platform substantially harder to evade because
it requires attackers to re-implement their entire
platform and command and control infrastructure,
instead of simply changing the few components that
match a signature or obscuring the malicious activity
that would trigger an alert. In the event that the

The stunning breadth and complexity of the

multidimensional correlations generated by the
Helix security engine far outpace the capacities of
human analysts and behavioral analysis models alone.
Consider the diagrams on the following pages that
visualize these correlations for two distinct malware
families, Mouabad and NotInstalledYo.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

13

WHITEPAPER

Figure 3: Multidimensional Threat Correlation Analysis of Mouabad Malware Family

This diagram shows samples of the Mouabad

mobile malware family, correlated by shared
signer, IP communications, and binary similarity
as calculated by the platforms App Genome
Sequencing technology. Mouabad is a family
of trojans that enable third party control over a
compromised device, allowing remote attackers
to send premium rate SMS messages and
engage in remote dialing activities.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

14

WHITEPAPER

Figure 4: Multidimensional Threat Correlation Analysis of NotInstalledYo Malware Family.

This diagram shows samples of the NotInstalledYo mobile malware family, correlated by shared signers and
binary similarity as calculated by the platforms App Genome Sequencing technology. The node at the center of
this galaxy represents a widely shared signer that uses a compromised signing key. NotInstalledYo is a family of
spyware that intercepts SMS messages on victimized devices and forwards them to attackers.

Figure 4.1: Red Zone Enlarged

Samples that share a high degree of binary similarity are grouped by color and nodes to which multiple colored
nodes connect signify a shared signer amongst those samples.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

15

WHITEPAPER

iv. Protection

The output of Lookouts platform is a dynamic security decision that identifies evolving known threats as
well as unique, targeted attacks. When the platform
detects novel threats it automatically initiates an
investigative process, alerting Lookouts Research and
Response team to further investigate the operation
and motivation of attackers, take remedial action such
as issue server takedown requests, and ensure that
relevant partners, customers and organizations take
remedial action if needed.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

16

WHITEPAPER

IV. Device Analysis Architecture

Figure 5: The Lookout Security Platform Device Analysis Architecture

To protect the underlying security of mobile

After collecting this data the platform then

devices from threats such as malicious rooting and

re-assembles it in the cloud to form a device

jailbreaking, the Lookout Security Platform collects

fingerprint. It correlates the various data points

a range of device security telemetry to form a

of this fingerprint against Lookouts mobile

digital fingerprint of each device. This security

intelligence dataset to identify when a device is

telemetry includes:

vulnerable or has been compromised, and can

a. OS/Firmware data - OS file metadata, such as

the file name and hash

correlations to known signals of compromise.

When the platform detects a compromised device

b. Configuration data - system properties of the

also predict device risk based on anomalies or

OS configuration

it executes remedial action through an integrated

Mobile Device Management (MDM) client.

c. Device data - device identifier information,

for device remediation purposes

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

17

WHITEPAPER

Today, most device compromise detection models rely

Post protection, Lookout continued to monitor BadNews

on a handful of point tests, hard coded on the mobile

in the wild and later observed it distributing new zero-

client. Attackers have identified and successfully

day trojans via the APK installation functionality. Notably,

deconstructed these point tests and devised

BadNews only engaged in this malicious activity for five

countermeasures to easily evade them. Lookouts

minutes a day, effectively disguising its activity from

detection model, however, differs substantially

sandboxed security environments where isolated, point-

from these approaches in that it collects a holistic

in-time behavioral analyses would not detect the activity.

fingerprint of the device profile and sends it up to the

cloud to analyze on the server-side. Lookouts security

To read more about BadNews, please visit our blog:

model offers two key advantages: instead of reverse-

<https://blog.lookout.com/blog/2013/04/19/the-bearer-

engineering a few client-side point tests, to evade

of-badnews-malware-google-play/>

Lookout, attackers need to mimic the entire device

state and its corresponding signals, which significantly

CASE STUDY 2: MalApp.D

raises the cost of attack. In addition, the server-side

The power of a predictive security model is evident in

analysis also inhibits attackers from easily reverse-

Lookouts detection of MalApp.D, a mobile threat that

engineering Lookouts detection methodology.

matched no prior signature nor engaged in overtly

malicious behavior, but nonetheless put enterprise
contact data and voice communications at risk.

V. Predictive Security in Action

The following threat detections demonstrate how the
Lookout Security Platform has delivered on the promise
of predictive security and can detect threats for which
no prior signatures exist and can even detect threats
before they exhibit malicious behavior.

MalApp.D was embedded in a seemingly benign VoIP

app that was live in the Google Play Store at the time of
Lookouts detection. With a handful of positive reviews
and a 4.2 star rating, the app appeared legitimate.
Through multidimensional correlation, however,
Lookouts platform revealed that this VoIP app was likely
developed by a known author of mobile malware and

CASE STUDY 1: BadNews

Consider the case of BadNews, a malicious mobile ad
network. Lookout found BadNews embedded in 32
different apps that were live in Google Play and had
received millions of downloads. BadNews enabled
the installation of additional APKs and could open
URLs in the browser, although it exhibited neither of

it therefore posed an unacceptable risk to enterprises

given its access to device contacts and potential call
recording capabilities.
To read more about MalApp.D, please visit our website:
<https://www.lookout.com/resources/reports/malapp>

these behaviors at the time of discovery. The Lookout

Security Platform, however, detected that BadNews
contained code that shared statistically significant
correlations to known Russian malware and, in a
pre-crime maneuver, proactively protected Lookoutenabled devices.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

18

WHITEPAPER

VI. Conclusion
The Lookout Security Platform analyzes potential
mobile threats not in the context of a single server,
a single device, or a single application, but in
the context of global mobile devices and code.
Lookouts predictive security model enables more
reliable tracking of existing threats and more precise
predictions of zero day threats.
Yet, predictive security models only work if they
can draw on global context. The continued failure
of signatures and behavioral analysis alone to
consistently identify threats without oceans of
false positives or false negatives reveals the critical
importance of having large, contextual data sets.
Lookouts platform excels at finding the signal amid
the noise because it has unprecedented insight into
the code, both apps and firmware, running on tens
of millions of devices around the planet. This massive
dataset produces hundreds of millions of datapoints
that the platform can use to correlate and predict
security threats and risks.
Predictive security models require machine
intelligence to identify exceedingly complex
correlations and risk signals that humans cannot
possibly identify at scale. Today, most detection
systems excel only at identifying the bank robber who
has already hit the vault. We should instead use the
deluge of data available to us to predict the next bank
robber based on their correlations across multiple
dimensions to known bad actors.

Lookout, Inc. | 1 Front Street, Suite 2700, San Francisco, CA 94111 | www.lookout.com |

19