October 20, 2011

Security Alert: Legacy Makes Another Appearance, Meet Legacy Native (LeNa)

The Threat

Recently, Lookout identified a new Android Trojan, LeNa, which is an evolution of the Legacy variant discovered earlier this year (also known as DroidKungFu). Previous Legacy variants were spotted only in alternative app markets and forums in China, collecting various details about users’ Android devices.  More recently, we discovered a variant of Legacy, which we are calling LegacyNative (LeNa) that was predominately found in alternative Chinese Markets, but a couple instances were also found on the Android Market. LeNa has similar capabilities as its predecessors, but it uses new techniques to gain a foothold on mobile devices.

All Lookout users are already protected against LeNa.  We let Google know about the variants and all LeNa infected apps were promptly removed from the Android Market.

How it Works

Unlike its predecessors, LeNa does not come with an exploit to root the device, rather it requests privileged access on a pre-rooted device.  On un-rooted devices, it offers “helpful” instructions on how to root the phone.  In some samples, LeNa is re-packaged into apps (a VPN management tool, for instance) that could conceivably require root privileges to function properly.  Other samples attempt to convince the user that root access is required to update. Once the user grants LeNa with root privileges, it starts its infection process in the background, while performing the advertised application tasks in the foreground.

Once on a user’s device, the Trojan takes a different tactic than previously seen to infect and launch the malware. LeNa hides itself inside an application that is native to the device (an ELF Binary). This is the first time an Android Trojan has relied fully on a native ELF binary as opposed to a typical VM-based Android application. In essence LeNa trojanizes the phone’s system processes, latching itself onto an application that is native to the device and critical to making the phone function properly.

Our analysis shows it having a number of malicious capabilities after requesting root access:

  • Communicating with a command and control (C & C) server
  • Downloading, installing and opening applications
  • Initiating web browser activity
  • Updating installed binaries, and more.

While analyzing and watching LeNa, we’ve seen quite a few things that were pushed by the server. One of the applications being pushed by the C&C server was a DroidDream infected application. This may show a possible correlation between the creators of the DroidDream/DroidDreamLight variants of Android malware and the Legacy variants.

Click here for the complete technical teardown on LeNa.

Who is affected?

Though LeNa has primarily been distributed through third-party markets, a handful of samples were removed from the Android Market.  Among the infected apps are One Key VPN and Easy VPN. In total, LeNa was repackaged in over 40 applications, often utility applications (VPN app, a Reader app, security application, etc.).

How to Stay Safe

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
Leave a comment