Android Trojan Infects Mobile Applications

Botnet-like Android malware has been discovered attached to games on a third-party Android market

An advanced new Android Trojan has been found in the wild and it displays botnet-like capabilities, said Lookout Mobile Security on 29 December.

Named Geinimi, it is “the most sophisticated Android malware” so far, but its impact is currently limited as the infected apps are available only on Chinese Android app markets, Lookout said in its warning. That’s not to say it couldn’t be packaged into other geographic regions, but that it hasn’t been done yet.

Personal data stolen

“We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market,” according to the Lookout blog.

The compromised list of applications includes Monkey Jump 2, President vs. Aliens, City Defence and Baseball Superstars 2010. The original versions in the official Android market are not affected. Lookout discovered the malware after a concerned user posted on its forums.

It is currently spread by being “grafted” onto repackaged versions of legitimate applications which are then distributed in third-party Chinese Android applications markets. The compromised applications request extensive permissions “over and above” what the original versions request, said Lookout. Once installed on a user’s Android phone, Geinimi can send personal data off the phone and accept commands from the remote control server, Lookout said.

When the application is launched, the Trojan lurks in the background, collecting user information such as location coordinates and the phone’s unique IMEI and SIM identifiers, Lookout said. At 5-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server. Geinimi communicates with 10 domain names, including widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com. All these domains are registered to the same contact “liuchangqiang” in Shanghai, China and date back to October.

Lookout said it had seen Geinimi transmit data to the server, but have not yet observed an instance of the server sending remote commands to the Trojan. Lookout speculated that the authors may be trying to create an Android botnet or a malicious ad network.

Based on the analysis of the malware code, Lookout’s experts said the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and to send a list of installed apps to the server.

Vigilance needed

Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls, Lookout said. Users should download applications only from reputable app markets, and check what permissions the app wants to ensure the request matches the app’s features.

The malware authors have “raised the sophistication bar significantly” said Lookout. The malware “obfuscates its activities” by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code, and encrypting “significant chunks” of command-and-control data to “substantially increase” the effort required to analyse it.

The lack of security in mobile apps is a big concern, as many iPhone and Android apps are not securely storing application data and passwords. A recent Bucknell University study found that 68 percent of apps listed in the “most popular” and “top free” categories on Apple’s App Store transmitted personal information in plain text. Major phone carriers have plans to roll out a number of mobile security products to protect their users, as well. Lookout has a free and paid app that scans every app the user downloads.

Security experts and vendors predicted a rise of Android malware in 2011. It appears that Geinimi is bringing an early start to this trend.