October 20, 2011

Security Alert: Legacy Makes Another Appearance, Meet Legacy Native (LeNa)

The Threat

Recently, Lookout identified a new Android Trojan, LeNa, which is an evolution of the Legacy variant discovered earlier this year (also known as DroidKungFu). Previous Legacy variants were spotted only in alternative app markets and forums in China, collecting various details about users’ Android devices.  More recently, we discovered a variant of Legacy, which we are calling LegacyNative (LeNa) that was predominately found in alternative Chinese Markets, but a couple instances were also found on the Android Market. LeNa has similar capabilities as its predecessors, but it uses new techniques to gain a foothold on mobile devices.

All Lookout users are already protected against LeNa.  We let Google know about the variants and all LeNa infected apps were promptly removed from the Android Market.

How it Works

Unlike its predecessors, LeNa does not come with an exploit to root the device, rather it requests privileged access on a pre-rooted device.  On un-rooted devices, it offers “helpful” instructions on how to root the phone.  In some samples, LeNa is re-packaged into apps (a VPN management tool, for instance) that could conceivably require root privileges to function properly.  Other samples attempt to convince the user that root access is required to update. Once the user grants LeNa with root privileges, it starts its infection process in the background, while performing the advertised application tasks in the foreground.

Once on a user’s device, the Trojan takes a different tactic than previously seen to infect and launch the malware. LeNa hides itself inside an application that is native to the device (an ELF Binary). This is the first time an Android Trojan has relied fully on a native ELF binary as opposed to a typical VM-based Android application. In essence LeNa trojanizes the phone’s system processes, latching itself onto an application that is native to the device and critical to making the phone function properly.

Our analysis shows it having a number of malicious capabilities after requesting root access:

  • Communicating with a command and control (C & C) server
  • Downloading, installing and opening applications
  • Initiating web browser activity
  • Updating installed binaries, and more.

While analyzing and watching LeNa, we’ve seen quite a few things that were pushed by the server. One of the applications being pushed by the C&C server was a DroidDream infected application. This may show a possible correlation between the creators of the DroidDream/DroidDreamLight variants of Android malware and the Legacy variants.

Click here for the complete technical teardown on LeNa.

Who is affected?

Though LeNa has primarily been distributed through third-party markets, a handful of samples were removed from the Android Market.  Among the infected apps are One Key VPN and Easy VPN. In total, LeNa was repackaged in over 40 applications, often utility applications (VPN app, a Reader app, security application, etc.).

How to Stay Safe

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
19 comments
  1. [...] min ago Lookout has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. [...]

  2. [...] has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. [...]

  3. [...] has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. [...]

  4. [...] has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. [...]

  5. [...] has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. [...]

  6. [...] methodologies. Last week, confidence researchers from mobile antivirus businessman Lookout detected another DroidKungFu variant that doesn’t use base exploits during [...]

  7. [...] methodologies. Last week, confidence researchers from mobile antivirus businessman Lookout detected another DroidKungFu variant that doesn’t use base exploits during [...]

  8. [...] other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn’t use root exploits at [...]

  9. [...] methodologies. Last week, confidence researchers from mobile antivirus businessman Lookout detected another DroidKungFu variant that doesn’t use base exploits during [...]

  10. [...] methodologies. Last week, confidence researchers from mobile antivirus businessman Lookout detected another DroidKungFu variant that doesn’t use base exploits during [...]

  11. [...] now comes in different flavours (5 so far), discovered by Pr. Xuxian Jiang (and research team) and Lookout. If, like me, you are having difficulties keeping track of those variants, this post is for you [...]

  12. [...] other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn’t use root exploits at [...]

  13. [...] methodologies. Last week, confidence researchers fr&#959m mobile antivirus businessman Lookout detected another DroidKungFu variant th&#1072t doesn’t &#965&#1109&#1077 base exploits &#1072t [...]

  14. [...] other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn’t use root exploits at [...]

  15. [...] other infection methodologies. Last week, security researchers from mobile antivirus vendor Lookout detected another DroidKungFu variant that doesn’t use root exploits at [...]

  16. [...] lookout] Μείνετε συντονισμένοι με τα τελευταία νέα του [...]

  17. [...] infection methodologies. Last week, security researchers fr&#959m mobile antivirus vendor Lookout detected a further DroidKungFu variant th&#1072t doesn’t &#965&#1109&#1077 root exploits &#1072t [...]

  18. [...] recently encountered an interesting new variant of our “old friend” Legacy Native (LeNa). LeNa originally masqueraded as a legitimate application and attempted to trick a user into [...]

  19. [...] Last fall, LeNa – looking like an authentic application – relied on a user to unwittingly utilize the SU utility to gain access and install a native binary file to the phone. LeNa was similar to DroidKungFu, a strain of malware that became popular in alternative Chinese markets last summer and collected various information about whatever phone it infected. While LeNa gained popularity in Chinese markets as well, it also surfaced in the Android Market (Google Play) a few times. [...]

Leave a comment