Update of Android malware uses exploit to take over

New Android malware variant needs no user control and works on phones that haven't been rooted.

Elinor Mills
Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
2 min read
LeNa displays what looks like the official Android marketplace once it is on the device.
LeNa displays what looks like the official Android marketplace once it is on the device. Lookout
A new variant of a piece of Android malware dubbed LeNa (Legacy Native) has been modified so that it does not require user interaction to take control of a device, mobile security firm Lookout said today.

LeNa has been seen on alternative Android markets and not Google Play, so its spread will be limited to people who risk those exchanges, particularly Chinese users, Lookout said in a blog post. The malware masquerades as a legitimate app, and the latest version can appear as a fully functional copy of the recently released Angry Birds Space, among other apps.

The original version of LeNa relied on the "SU" utility, which is used by people who have rooted their Android phones to grant super user privileges to apps that request them, which meant that only people who had rooted their devices were at risk, according to Lookout, which protects users against the malware.

"We've recently identified a significant update to LeNa that uses the GingerBreak exploit to gain root permissions on a device," said the Lookout blog post. "By employing an exploit, this new variant of LeNa does not depend on user interaction to gain root access to a device. This extends its impact to users of devices not patched against this vulnerability (versions prior to 2.3.4 that do not otherwise have a back-ported patch)."

Both variants communicate with a command and control server and receive instructions to install additional software and push URLs to be displayed in the browser, specifically "com.the9.gamechannel," a Chinese-language alternative market that publishes Android games and which was not designed to mimic the official Google Play market, Lookout said.

The company advises people to be alert for unusual behaviors on their devices, such as strange charges on the bill, unusual SMS or network activity and applications that launch when the device is locked. Users should also check the permissions an app requests to make sure they match with the functionality of the app. And people should only download apps from reputable app stores and consider using services or apps that scan apps for malicious activity.

Google announced in February that it is scanning apps for malware that are available in the official Android apps market, now called Google Play.

Updated April 4 at 11:20 a.m. PT to clarify that alternative market did not mimic Google Play.