The new malware is an updated variant of Legacy Native (LeNa) that uses the GingerBreak exploit to gain root permission on Android phones and basically collecting various information about the phone and sending the information to the hackers. What is alarming, the malware doesn’t require user interaction for the attacker to take control of the device, according to the report published by Lookout Mobile Security.
Lookout Principal Engineer Tim Wyatt in his blog post said that LeNa which originally masqueraded as a legitimate application and attempted to trick a user into activating its malicious payload by invoking the SU utility, an application that allows users to root their Android devices. The original LeNa is used by users who are rooting their phone is granted a superuser privileges to phone modifying it either to upgrade that firmware, install new Android OS versions and other upgrades.
However, the modified LeNa is a repackaged application that does what the old LeNa app is doing, but instead of just rooting the phone for the user to modify his phone into his liking, the malware after functioning properly is also simultaneously installing native binary files to the device granting remote control, including the ability to install additional software without any user notification. Those who are affected by the malware are basically users who have rooted their devices.
This new variant of LeNa masked itself as a JPEG file and hides its payload just past the “End of Image” marker of the JPEG image. But Hidden at the end of this JPEG are a nested pair of ELF binaries. One exploits the GingerBreak vulnerability to drop and launch the second, an updated version of LeNa according to Wyatt. The LeNa variant like its predecessor, this payload communicates with a remote Command and Control server and accepts instructions to install additional packages and push URLs to be displayed in the browser.
It is also reported that LeNa has a new version that disguise itself as a version of the popular game Angry Birds Space.
Christopher Brook of Threatpost said that LeNa was similar to DroidKungFu, a strain of malware that became popular in alternative Chinese markets last summer and collected various information about whatever phone it infected. While LeNa gained popularity in Chinese markets as well, it also surfaced in the Android Market (Google Play) a few times.
It is suffice to say that malware applications affecting Android users can be found on the alternative mobile application marketplace that sells or offer for free Android apps other than the official Google Play market (formerly Android market). Android users should be wary of downloading apps from these alternative markets, since most if not all applications are illegitimate android malwares that are stealthy and can control your Android devices such as sending SMS messages to premium rate numbers at the phone owners expense.
Google in response has launched it review process called Bouncer that scans and removes malicious apps from the Google Play market. It is highly advised for users to download applications from official Google Play market as not to suffer the bad experience of having your own phone getting controlled by scammers at your own expense.
Lookout added that for Android users to be safe they need to follow the tips below:
- Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include strange charges to your phone bill, unusual SMS or network activity, or application activities that launch when your device is locked.
- Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides and remember to look at the developer name, reviews and star ratings.
- Only download apps from trusted sources, such as reputable app stores and download sites.
- Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
via LookOut, ThreatPost.