Bot-like Geinimi Trojan targets Android games
Dec 30, 2010 — by LinuxDevices Staff — from the LinuxDevices Archive — 1 viewsA super-sophisticated piece of Android malware that has botnet-like capabilities was discovered attached to a number of Android games. The Geinimi Trojan appears to be limited to third-party Chinese app markets — for now.
An advanced new Android Trojan has been found in the wild, and it displays botnet-like capabilities, said Lookout Mobile Security on Dec. 29. Named Geinimi, it is "the most sophisticated Android malware" so far, but its impact is currently limited as the infected apps are available only on Chinese Android app markets, Lookout said in its warning.
That's not to say it couldn't be packaged into other geographic regions, but that it hasn't been done yet. "We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market," according to the Lookout blog on Geinimi.
The compromised list of applications includes Monkey Jump 2, President vs. Aliens, City Defense, and Baseball Superstars 2010. The original versions in the official Android market are not affected.
Lookout discovered the malware after a concerned user posted a notice on its forums. Geinimi is currently spread by being "grafted" onto repackaged versions of legitimate applications which are then distributed in third-party Chinese Android applications markets.
Bogus permissions checking and slick obfuscation
Applications compromised by Geinimi request extensive permissions "over and above" what the original versions request, said Lookout. Once installed on a user's Android phone, Geinimi can transmit personal data from the phone and accept commands from a remote control server, Lookout said.
When the application is launched, the Trojan lurks in the background, collecting user information such as location coordinates and the phone's unique IMEI and SIM identifiers, Lookout said. At five-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server.
Geinimi communicates with ten domain names, including widifu.com, udaore.com, frijd.com, islpast.com, and piajesj.com. All these domains are registered to the same contact — a "liuchangqiang" in Shanghai, China, and date back to October. Lookout said it had seen Geinimi transmit data to the server, but has not yet observed an instance of the server sending remote commands to the Trojan.
Lookout speculated that the authors may be trying to create an Android botnet or a malicious ad network. Based on the analysis of the malware code, Lookout's experts said the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and send a list of installed apps to the server.
Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls, Lookout said. Users should download applications only from reputable app markets, and check that permissions the app wants matches the app's features.
The malware authors have "raised the sophistication bar significantly" said Lookout. The malware "obfuscates its activities" by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code. It also encrypts "significant chunks" of command-and-control data to "substantially increase" the effort required to analyze it.
An early start on "year of Android malware"
The lack of security in mobile apps is a big concern, as many iPhone and Android apps are not securely storing application data and passwords.
A recent Bucknell University study found that 68 percent of apps listed in the "most popular" and "top free" categories on Apple's App Store transmitted personal information in plain text.
Major phone carriers have plans to roll out a number of mobile security products to protect their users, as well. Lookout has a free and paid app that scans every app the user downloads.
Security experts and vendors recently predicted a rise of Android malware in 2011. It appears that Geinimi is off to an early start.
Fahmida Y. Rashid is a writer for our sister publication eWEEK.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.