Angry Birds Space on alternative Android Markets contains malware that gains root access without user permission.
The latest entry to Lookout Mobile Security's blog reports that a new variant of the Legacy Native (LeNa) malware has been spotted. It uses the GingerBreak exploit to gain root permissions of a device using Android 2.3.3 or below without having to ask user permission. So far it hasn't popped up on Google Play, residing only in the alternative markets.
Now here's the really bad news. It's been discovered in Angry Birds Space. "Among the apps in which this payload appears, however, is a fully functional copy of the recently released Angry Birds Space," reports Lookout's Tim Wyatt. "The authors are undoubtedly hoping to capitalize on the latest release from this popular franchise to increase uptake on distribution."
Once the end-user installs the fake application, it dumps a malicious payload -- a pair of ELF binaries -- that resides just past the "End of Image" marker of an otherwise fully-functional JPEG. One binary exploits the GingerBreak vulnerability to drop and launch the second, an updated version of LeNa. This payload communicates with a remote Command and Control server and accepts instructions to install additional packages and push URLs to be displayed in the browser.
"At this time, LeNa’s C&C seems to be focusing on pushing a single package to the device: com.the9.gamechannel, a Chinese-language alternative market that publishes Android games," Wyatt states. "This package is installed without the user’s knowledge and subsequently launched – the result being that this alternate market may be front-and-center on a device after a user leaves it unattended for a prolonged period of time."
The previous version of LeNa also posed as a fake Android application, but required user permission to gain root access. It would reportedly trick the user into activating its payload by invoking the SU utility which is used by rooted users to selectively grant superuser privileges to applications that request them. After the app gained root access, it performed normally while also secretly installing a native binary file and granting it remote control. Because of its dependance on the SU tool, its spread was limited to rooted devices.
"Be alert for unusual behaviors on your phone, which could indicate that your phone is infected," Wyatt says. "These behaviors may include strange charges to your phone bill, unusual SMS or network activity, or application activities that launch when your device is locked."
All Lookout users are already protected against LeNa, he says.