We recently encountered an interesting new variant of our “old friend” Legacy Native (LeNa). LeNa originally masqueraded as a legitimate application and attempted to trick a user into activating its malicious payload by invoking the SU utility, which is used by “rooted” users to selectively grant superuser privileges to applications that request them. After the repackaged application gained root access, it functioned properly, but simultaneously installed a native binary file to the device granting remote control, including the ability to install additional software without any user notification. Because of its dependency on the SU utility to gain root permissions, the pool of users vulnerable to LeNA was inherently limited to those that rooted their devices – a relatively small, albeit technically adept set of users.
We’ve recently identified a significant update to LeNa that uses the GingerBreak exploit to gain root permissions on a device. By employing an exploit, this new variant of LeNa does not depend on user interaction to gain root access to a device. This extends its impact to users of devices not patched against this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch).
All Lookout users are already protected against LeNa and it is not (at this time) believed to have been in the Google Play market.
How it works
This new variant of LeNa hides its payload just past the “End of Image” marker of an otherwise fully-functional JPEG.
Hidden at the end of this JPEG are a nested pair of ELF binaries. One exploits the GingerBreak vulnerability to drop and launch the second, an updated version of LeNa. As in its predecessor, this payload communicates with a remote Command and Control server and accepts instructions to install additional packages and push URLs to be displayed in the browser. At this time, LeNa’s C&C seems to be focusing on pushing a single package to the device: com.the9.gamechannel, a Chinese-language alternative market that publishes Android games. This package is installed without the user’s knowledge and subsequently launched – the result being that this alternate market may be front-and-center on a device after a user leaves it unattended for a prolonged period of time. While it shares much of the same functionality as any mobile application store, this alternate market has not been designed to mimic the official Google Play market.
Who is affected?
This latest version of LeNa has recently emerged in alternative markets, and it is not (at this time) believed to have been in the Google Play market. Among the apps in which this payload appears, however, is a fully functional copy of the recently released Angry Birds Space. The authors are undoubtedly hoping to capitalize on the latest release from this popular franchise to increase uptake on distribution.
How to stay safe
- Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include strange charges to your phone bill, unusual SMS or network activity, or application activities that launch when your device is locked.
- Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides and remember to look at the developer name, reviews and star ratings.
- Only download apps from trusted sources, such as reputable app stores and download sites.
- Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.