Jump to content
chopeen

Luespy - malware or false positive?

Recommended Posts

Malwarebytes Anti-Malware Mobile (v1.05.1.1000) started to detect an infection a few days ago - malware Android/Trojan.Spy.Luespy in the file /system/priv-app/LSF-UEService-Pad_RoW.apk.

 

As far as I can tell, it is a Lenovo application that was pre-installed on the tablet, so I suspect it's a false positive.

 

Is there a way to display a detailed scan log in MBAM to learn why a file was flagged?

Can I provide you more information so you can investigate it?

 

 

Related discussion at Lenovo forums: https://forums.lenovo.com/t5/Security-Malware/Luespy-malware-detected-by-Malwarebytes/m-p/2087123

Share this post


Link to post
Share on other sites

Hi Chopeen,

 

Thanks for reporting, this looks to be some type of User Experience type app, runs as a service and collects data to report back to Lenovo. it has a EULA the user should have to agree to. We detect because of its tracking and reporting capabilities, if you are concerned about the app as a threat you disable via App settings.

 

We'll look at the possibility that this is a FP and could revise the detection to a PUP to at least inform users that it is a tracker.

 

Regards,

 

-Armando

Share this post


Link to post
Share on other sites

Hello Experts,

 

We cannot disable the User Experience App in Lenovo smartphone, via App setting. Can Force Close the UE App, but It keeps getting active and MBAM keeps detecting it as a LuespyTrojan.

 

Another thing, I and some of my friends got this detection on our Lenovo phones, on 22.05.15, many days after we started using our Lenovo phones. So it was not as a result of any Lenovo update. It was the result of a routine MBAM scan.

 

We have stopped using our Lenovo phones, some of them quite new, and are wondering what to do next. Do we get rid of the phones? Is it safe to use them, in spite of the MBAM repeated detection of Luespy Trojan?

 

Your conclusive reply would be appreciated.

 

Thanks in advance.

Share this post


Link to post
Share on other sites

Hi Jayanta,

 

Yeah, this was a new detection that was added recently. When you do the 'Force Stop' does the disable option then become available? 

 

We are in the process of reviewing this detection.

 

-Armando

Share this post


Link to post
Share on other sites

Hi Armando, thanks for prompt response. The Disable option is always grayed out, and never becomes available, even after tapping the Force Stop. The Force Stop itself gets grayed out if you tap it, and comes back alive again after a few minutes. This is happenning in the Lenovo A6000 phones which I and many of my friends have bought. The last update provided by Lenovo was in the first week of May, and after that and upto 22.05.15, when this detection of Luespy was made by MBAM mobile in these phones, there was no detection by MBAM mobile. So we found it a bit surprising when the detection happened on 22.05.15.

 

These phones have been bought by us a couple of months ago, so you may understand our problem. We do not know if we should ignore this detection and keep using these phones, but we are not comfortable with this, since we consider MBAM as the topmost anti-malware programme, and do not want to take their detection of trojan lightly. So we have stopped using these phones, till MBAM gives us the green signal.

 

In fact, when we bought the phones, the first thing we did, as we always do, was to run the MBAM mobile scan, and were very happy when it said "there is no malware in your device".

 

We also do not have any clue as to what the User Experience app does in these phones. If they are tracking our phone activity, what all they may be tracking, why they may be tracking, as we all have email accounts etc. in these phones, which we do not want to be compromised.

 

So we really look forward to your advice, since as I said, we consider MBAM to be the best.

 

Thanks,

Jayanta

Share this post


Link to post
Share on other sites
Hi Jayanta,
 
We have downgraded this to a PUP classification, Android/PUP.Monitor.Luespy.a, to inform our customers that the app is a monitor. There is a User License Agreement that comes with this app you might have seen when you first used the phone. It appears the app does not collect personal data like email, contacts etc. with this app, it mostly related to events that take place through day to day use. Below is an excerpt from the EULA:
 
Data collection and protection 
In order to collaborate and provide better services, if you participated in the User experience improvement plan, we will irregularly sync your mobile device operation data, including: equipment switch events, Push service switching events, WLAN switch events, GPS switch events and data, operator information, system function usage data, application startup/shutdown events, application installation/uninstallation events, device operation data (key features, exceptions, error data) and so on. 
The device operation data synchronized by User experience improvement plan are collected anonymously. 
 
Synchronized mobile device data will be unified, encrypted, and stored on a particular server and kept for a period less than one year. Such information will be protected in accordance with our privacy policy. 
 
You may read details of our privacy policy by visiting http://www.lenovo.com.cn/Public/public_bottom/privacy.shtml.
 
And we may access, use or disclose your data and information only for the following purposes:
 (a) For the anonymous analysis of device running state and application function usage, in order to discover the problems when devices and applications are running; as the basis for improving products or service functions, improving user experiences and providing the services listed in Article 1 of this plan;
 (b) To comply with laws or assist in investigation or enforcement by a judicial and/or enforcement authority; 
 © To protect our and our customers' property and legal rights, including the implementation of the plan and compliance with the policy applicable to this service; or 
 (d) To protect the rights, properties and security of the public. 
 However, there may be specific data leakage risks when you provide and transmit data through the network. You have fully considered and are willing to take the risk, so you hereby confirm that you will assume the responsibility for the consequences of data leakage caused by the network transmission. For such data leakage which is out of our control or not caused by our fault, and we shall not assume any responsibility.
 
The full text is attached.
 
I think the app is safe to use if you feel Lenovo has you best interests in mind, by protecting you data. You can Whitelist the app from the scans. If you feel you don't trust Lenovo you can contact them on the best way to disable.
 
Regards,
 
-Armando

 

luespy_EULA_text.txt

Share this post


Link to post
Share on other sites

Hi Armando,

 

Thank you very much for your reply.

 

I do not recall the User License Agreement of this app. It must be there, since you mention it, and maybe like other such Agreements, we ticked the box without reading it properly, thinking that there may not be anything wrong. I wonder if anyone has a choice to leave it un-ticked, since it is a part and parcel of the phone.

 

It is reassuring to know that It appears that the app does not collect personal data like email, contacts etc., and it is mostly related to events that take place through day to day use.

 

I wonder if the other phone manufacturers collect all such data from the customers' phones. Is it the done thing? Specially when there is a possibility of data leakage for which they will not be responsible, as mentioned in their EULA. We feel like some type of human guinea pigs, for the benefit of Lenovo :D Surely they can do this in some other way, without endangering the data of their customers! You may recall the Superfish malware which they installed in their computers, earlier this year. All this does not give a good feeling about the company.

 

From our limited knowledge, it seems that disabling the app would entail rooting our phones. But we do not know how to go about doing it.

 

Could you please inform us, if Windows 8.1 phones could also have pre-installed trackers/monitors/trojans etc. installed in them? Or it is not possible for the manufacturer to do this, because it is supposed to be very secure compared to Android? And also, is there any anti-virus for Windows 8.1 phones, because we could not find it in the Store of Windows 8.1? We would be grateful for your advice.

 

We thank you very much for taking the time to deal with this issue very effectively, which further increases our respect for MBAM.

 

Best Regards,

Jayanta

Share this post


Link to post
Share on other sites

You're welcome. There aren't any AV's for Windows phone that I'm aware of, but so far there haven't been any threats targeting that platform.

 

-Armando

Share this post


Link to post
Share on other sites

Hi Armando,

 

I have been doing some research in the past few days, on how to deactivate this User Experience app in some other way, since it cannot be de-activated on the phone by its own settings.

 

I came across an app on Google Play called NoRoot Firewall, which can be installed in android phones, and where we can select which apps can send out data from the phone, and which apps cannot. In other words, all apps including User Experience need permission to use the phone's internet connection.

 

Could you be so kind as to check out this app, whether it will be effective in blocking this User Experience app in the phone, from sending out our data from the phone to wherever (most probably to Lenovo). And so the risk to our data may be eliminated.

 

Many thanks in advance,

 

Jayanta

Share this post


Link to post
Share on other sites

Hi Jayanta,

 

I'm not familiar with NoRoot Firewall, so I don't know how good of a job it does but it does not appear to be bundled with an Adware or other malicious activities. Stick with the one from the Play Store.

 

Good luck and let me know how it goes.

 

-Armando

Share this post


Link to post
Share on other sites

Hi Armando,

 

Just to update you on the situation, we have sold our Lenovo phones and got ourselves Lumia Windows phones, and are running them without installing any anti-virus.

Actually we were feeling uncomfortable that our data was getting reported back to Lenovo, for reasons best known to them. To top it, there was this total licence on the part of Lenovo's staff, in their forum and elsewhere, about Luespy.

We feel quite safe with Windows 8.1 compared to Android. We feel that there may be other entities like Lenovo who may also be doing the same, installing UE apps in their phones without explaining to the buyers what exactly these apps may be used for. And then maintaining a total silence.

 

Thanks for your valuable advice in this matter.

 

Best Regards,

Jayanta

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.