Lookout has identified a new Android malware threat which actually ends up as somewhat of an evolution of an older Trojan. This new threat shares common traits with the Legacy variant known as DroidKungFu however this time it was not limited to Chinese alternative app markets or forums. Unfortunately a couple of instances were found in the U.S. Android Market, however it was promptly removed. As is the case with any of the threats that Lookout identifies, you are already protected if you’ve installed Lookout Mobile Security.
How does this Legacy Native (LeNa) work? It’s actually somewhat fascinating.
Unlike its predecessors, LeNa does not come with an exploit to root the device, rather it requests privileged access on a pre-rooted device. On un-rooted devices, it offers “helpful” instructions on how to root the phone. In some samples, LeNa is re-packaged into apps (a VPN management tool, for instance) that could conceivably require root privileges to function properly. Other samples attempt to convince the user that root access is required to update. Once the user grants LeNa with root privileges, it starts its infection process in the background, while performing the advertised application tasks in the foreground.
Lookout mentions on their blog that while monitoring LeNa’s server activities they noticed that one of the apps being pushed was a DroidDream infected app. This isn’t definitive proof of a direct correlation between DroidDream/DroidDream Light and the Legacy developers but it’s a little scary nonetheless. These guys may not be in total cahoots with each other but they’re getting smarter and trying new tactics.
If you’d like a full PDF technical breakdown of LeNa and how it works, head to Lookout’s blog.