Angry Birds Space on alternative Android Markets contains malware that gains root access without user permission.
The latest entry to Lookout Mobile Security's blog reports that a new variant of the Legacy Native (LeNa) malware has been spotted. It uses the GingerBreak exploit to gain root permissions of a device using Android 2.3.3 or below without having to ask user permission. So far it hasn't popped up on Google Play, residing only in the alternative markets.
Now here's the really bad news. It's been discovered in Angry Birds Space. "Among the apps in which this payload appears, however, is a fully functional copy of the recently released Angry Birds Space," reports Lookout's Tim Wyatt. "The authors are undoubtedly hoping to capitalize on the latest release from this popular franchise to increase uptake on distribution."
Once the end-user installs the fake application, it dumps a malicious payload -- a pair of ELF binaries -- that resides just past the "End of Image" marker of an otherwise fully-functional JPEG. One binary exploits the GingerBreak vulnerability to drop and launch the second, an updated version of LeNa. This payload communicates with a remote Command and Control server and accepts instructions to install additional packages and push URLs to be displayed in the browser.
"At this time, LeNa’s C&C seems to be focusing on pushing a single package to the device: com.the9.gamechannel, a Chinese-language alternative market that publishes Android games," Wyatt states. "This package is installed without the user’s knowledge and subsequently launched – the result being that this alternate market may be front-and-center on a device after a user leaves it unattended for a prolonged period of time."
The previous version of LeNa also posed as a fake Android application, but required user permission to gain root access. It would reportedly trick the user into activating its payload by invoking the SU utility which is used by rooted users to selectively grant superuser privileges to applications that request them. After the app gained root access, it performed normally while also secretly installing a native binary file and granting it remote control. Because of its dependance on the SU tool, its spread was limited to rooted devices.
"Be alert for unusual behaviors on your phone, which could indicate that your phone is infected," Wyatt says. "These behaviors may include strange charges to your phone bill, unusual SMS or network activity, or application activities that launch when your device is locked."
All Lookout users are already protected against LeNa, he says.
ID10T problems like always.
ID10T problems like always.
.............................
I prefer PEBKAC (people are less likely to figure out you're making fun of them), but I guess it doesn't apply to smartphones as well as the good old ID-ten-tee.
Then, you won't be able to download from alternative markets, which will prevent something like this from running on your phone to begin with.
Stupid spammers can't even be bothered to check their Math.
There is a developer tab under settings that allows the user to check if they want to be able to install apps from alternative sources or not. By default it is unchecked, so for someone to be able to screw up like this, they would have to dig into a developer setting and voluntarily change that (regardless whether they're rooted or not). Then, their phone actually needs to be rooted for the app to gain root, otherwise it won't work.
In other words, one must try really hard to screw up on this one... And that's why Android rocks.
It all comes down to one thing: if you really think you know what you're doing, Android gives you the tools to do it, but if you don't, it does it's best to keep you from doing it. Now, if you still persist... good luck to you.