A new Trojan is targeting Android devices. Known in security circles as Geinimi, the Trojan is powerful enough to compromise the personal data on a user’s smartphone and send it to remote servers.
So says Lookout Mobile Security. In fact, the firm said the new Trojan is the most sophisticated Android malware its security researchers have seen to date. What’s more, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. That means once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.
“Geinimi is effectively being ‘grafted’ onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets,” the company wrote in a blog post. “The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions.”
Lookout said the Trojan’s intent isn’t entirely clear, but the possibilities range from a malicious ad network to an attempt to create an Android botnet.
Here’s how it works: When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects information that can compromise a user’s privacy, Lookout said. That includes location coordinates and unique identifiers for both the device and SIM card. At five-minute intervals, Lookout explains, Geinimi attempts to connect to a remote server using one of 10 embedded domain names. If it connects, Geinimi transmits collected information to the remote server.
“This is unlikely to affect end users in the U.S. You have to go to a third-party site and enable and install third-party applications outside the marketplace. But it underscores the Wild West nature that is the Android platform,” said Michael Gartenberg, an analyst at Gartner.
“Something like this would be virtually impossible on an iPhone. There’s no easy way of installing applications on the iPhone that didn’t come from the marketplace unless you are willing to go through hoops to try to jailbreak it. This underscores Apple’s position of maintaining end-to-end control, and the reason for doing so is that iPhone users don’t have to worry about these types of things.”
Protecting Your Phone
The good news for Android users is Lookout said there is no evidence that Geinimi is distributed through third-party Chinese app stores. To download an app from a third-party app store, Android users need to enable the installation of apps from “unknown sources.” Although Geinimi could be packaged into applications for Android phones in other geographic regions, Lookout has not seen any applications compromised by the Geinimi Trojan in the official Google Android Market.
“There are a number of applications — typically games — we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs Aliens, City Defense, and Baseball Superstars 2010,” Lookout said. “It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected.”
Lookout said Android users can stay safe by only downloading applications from trusted sources, such as reputable application markets, by always checking the permissions an app requests, by being aware of unusual behavior on the phone, and by downloading a mobile security app.