April 3, 2012

Security Alert: New Variants of Legacy Native (LeNa) Identified

We recently encountered an interesting new variant of our “old friend” Legacy Native (LeNa). LeNa originally masqueraded as a legitimate application and attempted to trick a user into activating its malicious payload by invoking the SU utility, which is used by “rooted” users to selectively grant superuser privileges to applications that request them. After the repackaged application gained root access, it functioned properly, but simultaneously installed a native binary file to the device granting remote control, including the ability to install additional software without any user notification. Because of its dependency on the SU utility to gain root permissions, the pool of users vulnerable to LeNA was inherently limited to those that rooted their devices – a relatively small, albeit technically adept set of users.

We’ve recently identified a significant update to LeNa that uses the GingerBreak exploit to gain root permissions on a device. By employing an exploit, this new variant of LeNa does not depend on user interaction to gain root access to a device. This extends its impact to users of devices not patched against this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch).

All Lookout users are already protected against LeNa and it is not (at this time) believed to have been in the Google Play market.

How it works

This new variant of LeNa hides its payload just past the “End of Image” marker of an otherwise fully-functional JPEG.

Hidden at the end of this JPEG are a nested pair of ELF binaries. One exploits the GingerBreak vulnerability to drop and launch the second, an updated version of LeNa. As in its predecessor, this payload communicates with a remote Command and Control server and accepts instructions to install additional packages and push URLs to be displayed in the browser. At this time, LeNa’s C&C seems to be focusing on pushing a single package to the device: com.the9.gamechannel, a Chinese-language alternative market that publishes Android games. This package is installed without the user’s knowledge and subsequently launched – the result being that this alternate market may be front-and-center on a device after a user leaves it unattended for a prolonged period of time. While it shares much of the same functionality as any mobile application store, this alternate market has not been designed to mimic the official Google Play market.


Who is affected?

This latest version of LeNa has recently emerged in alternative markets, and it is not (at this time) believed to have been in the Google Play market. Among the apps in which this payload appears, however, is a fully functional copy of the recently released Angry Birds Space. The authors are undoubtedly hoping to capitalize on the latest release from this popular franchise to increase uptake on distribution.

How to stay safe

  • Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include strange charges to your phone bill, unusual SMS or network activity, or application activities that launch when your device is locked.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides and remember to look at the developer name, reviews and star ratings.
  • Only download apps from trusted sources, such as reputable app stores and download sites.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan.
30 comments
  1. vvanderer says:

    My galaxy randomly goes from connected to airplane mode. Could this mmean it has been invaded by gremlins?

  2. [...] Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  3. [...] Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  4. [...] LeNa displays what looks like the official Android marketplace once it is on the device. (Credit: Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  5. [...] Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  6. [...] bit of news we gleaned from CNET and Lookout is that there is a new peice of android malware to be aware of and watch out for.  Security [...]

  7. [...] Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  8. [...] at the mobile security firm Lookout  identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  9. [...] Lookout) A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that [...]

  10. [...] at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  11. Amy says:

    @vvanderer, thanks for reaching out. That particular phone behavior doesn’t sound malware related. You’re welcome to reach us directly if you have any other questions: feedback@mylookout[dot]com. Thanks!

  12. [...] at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  13. [...] at the mobile security firm Lookout  identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  14. [...] at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  15. [...] at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  16. [...] at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain [...]

  17. [...] Principal Engineer Tim Wyatt in his blog post said that LeNa which was originally masqueraded as a legitimate application and attempted to trick [...]

  18. [...] access of an Android Phone without a user’s permission.  According to Tim Wyatt, the engineer at Look Out Security reported that the exploit, LeNa, hides in a JPG image file in the users Phone and then communicates [...]

  19. [...] turning out to be a busy couple of days for security threats, Lookout Mobile Security has discovered the Legacy Native (LeNa) malware of last fall is back, and capable of remotely gaining root access [...]

  20. [...] are not going good for Android in terms of security threats these days. Lookout Mobile Security learned that a new strain of the ‘Legacy Native’ (LeNa) malware that first appeared last fall [...]

  21. [...] malware hitting Google Play, but this scenario could easily become a reality.Image credit GSM ArenaVia LookoutRelated articlesNew Built-In Security Feature for Android Market Unveiled (mobileusers.com) [...]

  22. [...] what’s turning out to be a busy couple of days for security threats, Lookout Mobile Security has discovered the Legacy Native (LeNa) malware of last fall is back, and capable of remotely gaining root access [...]

  23. [...] Tim Wyatt de Lookout Security, la semana pasada publicó una nueva variante encontrada del malware LeNa. LeNa se empaqueta dentro de aplicaciones e intenta que el usuario de permisos de root a la aplicación. De esa forma instala una aplicación con permisos de root, que permite gestionar de forma remota el teléfono. Debido a la dependencia del comando su (comando que permite ejecutar como root la aplicación), el grupo de posibles afectado es menor. [...]

  24. [...] this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch),” Lookout posted.The malware comes along with some applications including the newly released Angry Birds [...]

  25. [...] Mobile security firm Lookout said the malware is a new variant of the “Legacy Native (LeNa)” malware, which uses the “GingerBreak” exploit to attack. “By employing an exploit, this new variant of LeNa does not depend on user interaction to gain root access to a device. This extends its impact to users of devices not patched against this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch),” Lookout said in a blog post. [...]

  26. [...] (versions prior to 2.3.4 that do not otherwise have a back-ported patch),” Lookout said in ablog post.   In March, another Trojan appeared pretending to be legitimate Chinese game, The Roar of [...]

  27. [...] Para ver a nota do Lookout Secutity e saber como se prevenir, acesse-se aqui. [...]

  28. [...] Tim Wyatt de Lookout Security, la semana pasada publicó una nueva variante encontrada del malware LeNa. LeNa se empaqueta dentro de aplicaciones e intenta que el usuario de permisos de root a la aplicación. De esa forma instala una aplicación con permisos de root, que permite gestionar de forma remota el teléfono. Debido a la dependencia del comando su (comando que permite ejecutar como root la aplicación), el grupo de posibles afectado es menor. [...]

  29. [...] Lookout, we love new languages almost as much as we love keeping your phone safe from the latest malware threats. Today, we’re excited to add Simplified Chinese and Polish to our list of localized [...]

  30. [...] turning out to be a busy couple of days for security threats, Lookout Mobile Security has discovered the Legacy Native (LeNa) malware of last fall is back, and capable of remotely gaining root access [...]

Leave a comment