A new Trojan affecting Android devices has recently emerged in China.
Dubbed "Geinimi" based on its first known incarnation, this Trojan
can compromise a significant amount of personal data on a user?s
phone and send it to remote servers, security researchers said on
Thursday.
Anti-virus firm Lookout Mobile Security said that Geinimi is the most
sophisticated Android malware so far and also the first Android
malware in the wild that displays botnet-like capabilities. Once the
malware is installed on a user?s phone, it has the potential to
receive commands from a remote server that allow the owner of that
server to control the phone.
Geinimi is effectively being "grafted" onto repackaged versions of
legitimate applications, primarily games, and distributed in
third-party Chinese Android app markets, the reserachers said. The
affected applications request extensive permissions over and above
the set that is requested by their legitimate original versions.
Though the intent of this Trojan isn?t entirely clear, the
possibilities for intent range from a malicious ad-network to an
attempt to create an Android botnet.
How it works:
When a host application containing Geinimi is launched on a user?s
phone, the Trojan runs in the background and collects significant
information that can compromise a user?s privacy. The specific
information it collects includes location coordinates and unique
identifiers for the device (IMEI) and SIM card (IMSI). At five minute
intervals, Geinimi attempts to connect to a remote server using one
of ten embedded domain names. A subset of the domain names includes
www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and
www.piajesj.com. If it connects, Geinimi transmits collected device
information to the remote server.
Though Lookout Mobile Security has seen Geinimi communicate with a
live server and transmit device data, the security firm has yet to
observe a fully operational control server sending commands back to
the Trojan. The analysis of Geinimi?s code is ongoing and the
reserachers have already evidence of the following capabilities:
* Send location coordinates (fine location)
* Send device identifiers (IMEI and IMSI)
* Download and prompt the user to install an app
* Prompt the user to uninstall an app
* Enumerate and send a list of installed apps to the server
While Geinimi can remotely initiate an app to be downloaded or
uninstalled on a phone, a user still needs to confirm the
installation or uninstallation.
"Geinimi?s author(s) have raised the sophistication bar significantly
over and above previously observed Android malware by employing
techniques to obfuscate its activities. In addition to using an
off-the-shelf bytecode obfuscator, significant chunks of
command-and-control data are encrypted. While the techniques were
easily identified and failed to thwart analysis, they did
substantially increase the level of effort required to analyze the
malware. The Lookout Security team is continuing to analyze
capabilities of new and existing Geinimi variants and will provide
more information as we uncover it," teh security experts said.
Currently Geinimi is distributed through third-party Chinese app
stores. To download an app from a third-party app store, Android
users need to enable the installation of apps from "Unknown sources"
(often called "sideloading"). Geinimi could be packaged into
applications for Android phones in other geographic regions. Lookout
Mobile Security has not seen any applications compromised by the
Geinimi Trojan in the official Google Android Market.
There are a number of applications?typically games? seen repackaged
with the Geinimi Trojan and posted in Chinese app stores, including
Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and
Baseball Superstars 2010. It is important to remember that even
though there are instances of the games repackaged with the Trojan,
the original versions available in the official Google Android Market
have not been affected.
Lookout has already delivered an update for its Android users to
protect them against known instances of the Trojan.
How to Stay Safe:
* Only download applications from trusted sources, such as
reputable application markets. Remember to look at the developer
name, reviews, and star ratings.
* Always check the permissions an app requests. Use common sense
to ensure that the permissions an app requests match the features the
app provides.
* Be aware that unusual behavior on your phone could be a sign
that your phone is infected. Unusual behaviors include: unknown
applications being installed without your knowledge, SMS messages
being automatically sent to unknown recipients, or phone calls
automatically being placed without you initiating them.
* Download a mobile security app for your phone that scans every
app you download.