A new version of Android malware has been tweaked so it doesn’t require user interaction for an attacker to own the device, according to research published by Lookout Mobile Security yesterday.
An updated variant of the Legacy Native (LeNa) malware utilizes the GingerBreak exploit to gain root permission on Android phones. LeNa, according to Lookout principal engineer Tim Wyatt, hides its exploit in a functional JPEG file. The exploit communicates with a command and control server to install and launch packages unbeknownst to the phone’s user.
Last fall, LeNa – looking like an authentic application – relied on a user to unwittingly utilize the SU utility to gain access and install a native binary file to the phone. LeNa was similar to DroidKungFu, a strain of malware that became popular in alternative Chinese markets last summer and collected various information about whatever phone it infected. While LeNa gained popularity in Chinese markets as well, it also surfaced in the Android Market (Google Play) a few times.
The malware has found a home on alternative mobile application marketplaces which are blocked by default on Android devices. While it doesn’t appear to have made the jump to Google’s new Play marketplace yet, the new version of LeNa has been seen making the rounds disguised as a version of the popular game Angry Birds Space.
As we’ve seen already this year with the TGLoader malware, alternative markets are a goldmine for stealthy, illegitimate applications that can do anything from send SMS messages to premium-rate numbers to remotely rooting Android devices.
With traces of Android malware skyrocketing in just the last few months, Google acknowledged in February it had launched a review process called Bouncer where it could automatically scan and remove malicious apps from its market. For more on the latest iteration of LeNa, head to Lookout’s blog.