Sophisticated Trojan targets Android devices

Chinese-based Geinimi has botnet potential

Lookout Mobile Security is reporting that a new malware exploit targeting Android devices is emerging in China. The company is calling the new Trojan, labeled Geinimi, the “most sophisticated Android malware we’ve seen to date” and the first Android malware to show “botnet-like capabilities.”According to a Lookout blogpost, Geinimi is “grafted” onto repackaged version of bona fide Android applications, typically a game, and distributed via third-party online markets in China. The modified apps request “extensive permissions over and above” those requested by the original app. According to Lookout, Geinimi can access a wide range of personal data and ship it off to remote server. It also has the potential to accept commands from a remote server, allowing the server’s owner to control the phone, including creating an Android botnet. Lookout has already created a software update for existing Android users of its mobile security software, both the paid and free versions, according to the blogpost. Whoever created the malware has gone to extra lengths to conceal what’s happening. “In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted,” Lookout reports. “While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware.”So far, according to Lookout, Geinimi only appears in repackaged apps on the third-party Chinese app stores. To download these, an Android user must enable installing apps from “Unknown sources.”  So far, Lookout has found no Geinimi-compromised apps in the official Android Market site.Tampered apps on the Chinese sites include: Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense, and Baseball Superstars 2010. “[T]he original versions available in the official Google Android Market have not been affected,” according to Lookout.When the host application with the Geinimi Trojan is launched on the smartphone, the malware collects location coordinates and unique identifies fro the device and its SIM card. Every five minutes, according to Lookout, the malware tries to connect to a remote server, using one of 10 embedded domain names, among them:,, and it has that remote connection, the malware uses it to send the information it has collected. So far, Lookout hasn’t seen a “fully operational control server sending commands back” to Geinimi. But Lookout’s analysis has identified the following activities: sending location coordinates or device identifiers, downloading an app and prompting the user to install it, prompting the user to un-install an app, and create a list of the phone’s installed apps and send it to the remote server. In addition, the user still needs to confirm the installation or uninstallation, according to Lookout.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)