617.938.6200
NSK’s new product BitHawk is a new cyber defense application that picks up where your antivirus solutions leave off. It provides our customers with powerful, efficient protection and system clean-up capabilities.
Below is an example of how it found an app on one of our Clients phone’s that was connected to Chinese adware/spyware servers and collecting data from the person’s phone.
There are quite a few apps like this where they communicate with adware/spyware servers and collect the user’s data in the background. Most of the time it goes completely unnoticed because it is all operating behind the scenes. (Especially on Android phones.) Google is less restrictive in what applications (apps) get published in their Android App Store compared to Apple's App Store for iPhones.
Through BitHawk, the alert is pretty cool, it alerts us that someone had a ‘flashlight’ app on their phone. Third party flashlight apps downloaded through the App Store typically contain spyware. If you have a flashlight app that came preinstalled with your phone, those are typically safe. This one was connecting to a server in China and collecting personal information off the user’s phone and sending it back to them.
It is not as high of an alert compared to ransomware, but it is great to see that with BitHawk we were able to detect the traffic from these ad servers, trace the source back to a cell phone within an organization that was using the product, and finally know exactly what application on the Android phone was doing it, which allowed us to remediate the issue and keep prying eyes off the employees' personal information.
Below is the alert that one of our Help Desk Engineers received from the BitHawk Application that we use.
Sent: Wednesday, July 12, 2017 11:09 PM
To: Nick Seratt
Subject: [IR#-------] BitHawk Alert - Low
As of 02:56UTC BitHawk performed an investigation that led to the discovery of a misbehaving application.
A flashlight application installed on an Android device is performing regular data collection for adware and sending that information to an IP address in Hangzhou China.
We believe that the adware is associated with Alibaba and is potentially an unwanted application that should not be allowed on the corporate network.
Related information on the remote site can be found here: (linked removed for security reasons)
The application is possibly this -> http://www.apkmonk.com/app/com.jiubang.fastestflashlight/
Please review the permissions for this app, seems excessive for a flashlight application and no reason to be sending regular updates outbound.
The internal device is an Android LG MS210. The device was last seen at IP address 192.xxx.xx.x
BitHawk Security Operations Center
Nick Seratt was instrumental in the writing of this blog article.
