Update of Android malware uses exploit to take over
New Android malware variant needs no user control and works on phones that haven't been rooted.
LeNa has been seen on alternative Android markets and not Google Play, so its spread will be limited to people who risk those exchanges, particularly Chinese users, Lookout said in a blog post. The malware masquerades as a legitimate app, and the latest version can appear as a fully functional copy of the recently released Angry Birds Space, among other apps.
The original version of LeNa relied on the "SU" utility, which is used by people who have rooted their Android phones to grant super user privileges to apps that request them, which meant that only people who had rooted their devices were at risk, according to Lookout, which protects users against the malware.
"We've recently identified a significant update to LeNa that uses the GingerBreak exploit to gain root permissions on a device," said the Lookout blog post. "By employing an exploit, this new variant of LeNa does not depend on user interaction to gain root access to a device. This extends its impact to users of devices not patched against this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch)."
Both variants communicate with a command and control server and receive instructions to install additional software and push URLs to be displayed in the browser, specifically "com.the9.gamechannel," a Chinese-language alternative market that publishes Android games and which was not designed to mimic the official Google Play market, Lookout said.
The company advises people to be alert for unusual behaviors on their devices, such as strange charges on the bill, unusual SMS or network activity and applications that launch when the device is locked. Users should also check the permissions an app requests to make sure they match with the functionality of the app. And people should only download apps from reputable app stores and consider using services or apps that scan apps for malicious activity.
Updated April 4 at 11:20 a.m. PT to clarify that alternative market did not mimic Google Play.