A new and very sophisticated Trojan is hitting Android devices in China and endangering users worldwide.
Dubbed ‘Geinimi’, it can harvest large amounts of personal data on a user’s phone and send it to remote servers, says Lookout Mobile Security, describing it as ‘the most sophisticated Android malware we’ve seen to date’.
It’s also the first Android malware in the wild to display botnet-like capabilities, handing over control of the phone to a remote server.
Geinimi is turning up in repackaged versions of legitimate applications, mainly games, from third-party Chinese Android app markets. These include Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. Lookout says it hasn’t seen any applications compromised by Geinimi in the official Google Android Market.
When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects user information including location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).
At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names and transmit collected device information to the remote server.
“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted,” says Lookout.
“While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware.”
