December 29, 2010

Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild

Looking for more information on mobile threats like Geinimi? Check out Lookout’s Top Threats resource.

The Threat:
A new Trojan affecting Android devices has recently emerged in China. Dubbed “Geinimi” based on its first known incarnation, this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan  isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.

Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan. If you are already a Lookout user (free or premium), you are protected and no action is needed.

How it Works:
When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com and www.piajesj.com. If it connects, Geinimi transmits collected device information to the remote server.

Though we have seen Geinimi communicate with a live server and transmit device data, we have yet to observe a fully operational control server sending commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but we have evidence of the following capabilities:

  • Send location coordinates (fine location)
  • Send device identifiers (IMEI and IMSI)
  • Download and prompt the user to install an app
  • Prompt the user to uninstall an app
  • Enumerate and send a list of installed apps to the server

While Geinimi can remotely initiate an app to be downloaded or uninstalled on a phone, a user still needs to confirm the installation or uninstallation.

Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware. The Lookout Security team is continuing to analyze capabilities of new and existing Geinimi variants and will provide more information as we uncover it.

Who is affected?
Currently we only have evidence that Geinimi is distributed through third-party Chinese app stores. To download an app from a third-party app store, Android users need to enable the installation of apps from “Unknown sources” (often called “sideloading”). Geinimi could be packaged into applications for Android phones in other geographic regions. We have not seen any applications compromised by the Geinimi Trojan in the official Google Android Market.

There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. It is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected. As the Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate applications, we’ll provide timely updates.

As stated above, Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan.

How to Stay Safe:

  • Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be aware that unusual behavior on your phone could be a sign that your phone is infected. Unusual behaviors include: unknown applications being installed without your knowledge, SMS messages being automatically sent to unknown recipients, or phone calls automatically being placed without you initiating them.
  • Download a mobile security app for your phone that scans every app you download. Lookout users automatically receive protection against this Trojan.

With the discovery of this new malware, it is more important than ever to pay attention to what you’re downloading. Stay alert and ensure that you trust every app you download. Stay tuned for more details on this threat.

46 comments
  1. simon says:

    what applications have this trojan can u put down a list so i can avoid-it ?

  2. alicia says:

    @Simon, There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010. As mentioned in the blog post, it is important to remember that even though there are instances of the games repackaged with the Trojan, the original versions available in the official Google Android Market have not been affected. As the Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate applications, we’ll provide timely updates. Thanks for checking in!

  3. Josh says:

    Is it safe to assume that, while the original apps may be legit, the “third-party app markets” in referred to here are distributing them without permission of the original developers? In other words, sites dedicated to app piracy?

  4. Steven says:

    Thanks For Looking Out or us :)

  5. ehooo says:

    Hi.
    Do you know if you find any antivirus?
    Do you have a link to VirusTotal?

  6. Josh says:

    When you say “third party app stores”, are these legitimate alternate markets, or shady sites dedicated to the distribution of pirated apps?

  7. anon says:

    Wow and you’ll protect my phone even tho I have the free version! Thanks guys! Do I need to go into the market and allow your software to update to be covered?

  8. Mike says:

    can the malware be removed after an Android-powered device is infected with it?

  9. Mike says:

    Hi Tim, any idea on the number of mobile devices infected to date? And any idea on the rate at which the trojan is spreading?

    Thanks!

    Mike

  10. Narg says:

    Sell your Android phone and move to the more secure iPhone or WP7. Sure they are more “closed”, but there is a good side to that too.

  11. Dinesh Venkatesan says:

    Very nice first hand info. Great job. Could you please share any info about the sample like MD5 or SHA value. It will help a lot in tracking the malware.

    Thanks in Advance!

  12. [...] Lookout Mobile Security ha descubierto un nuevo malware móvil que ataca a los teléfonos Android, y lo catalogan como el más peligroso encontrado hasta la fecha. [...]

  13. alicia says:

    @Josh, Yes, We can assume that the apps found with the malware are distributed them without permission of the original developers.

  14. alicia says:

    @ehooo Our security team will be reaching out to you shortly.

  15. alicia says:

    @Anon We send “over the air” updates so there is no need to reinstall Lookout. You are already protected.

  16. alicia says:

    @Mike, Yes the malware can be removed. If a user has malware installed on their device, Lookout would detect it and prompt them to uninstall it. Currently Lookout protects against all instances of the malware discovered to date.

  17. alicia says:

    @Josh, These repackaged applications can appear on both reputable and less known third-party app stores.

  18. alicia says:

    @Mike At this stage it is hard to tell how many people are affected by the Trojan, but it appears different variations of it have been downloaded thousands of times. The impact could be in the hundreds of thousands.

  19. Captain VUCSA says:

    Can this be used to generate IRSF/PRS dialing? This seems like a much more straight forward way to monetize infected devices than spam/ad marketing.

  20. zuk says:

    Great job guys!!

  21. bobbo says:

    @Alicia,
    Do you have any samples we can play with? I’d like to observe their C2 protocol. Is it going over HTTP? What domains is it calling out to?

    Thanks,
    Bobbo

  22. [...] mobile malware, dubbed Geinimi, which usually poses as gaming applications, has been uploaded onto third-party Chinese Android app [...]

  23. Steve says:

    Thanks for the information. Do you have a referral program setup for websites to advertise your antivirus product? I didn’t even really know that there were antivirus apps for Android until now. Would love to get the word out for you.

  24. alicia says:

    @bobbo, If you reach out to our security team (security at mylookout dot com), they can share samples with you! I’ll also send your email to them.

  25. Tammy says:

    i hope this isn’t what happened to my phone… i had a motoblur update yesterday… today a lot of my apps don’t work and all the contacts on my sim card where removed so i had to import them again! i will contact my cell phone provider tomorrow to report it just in case. i did have lookout on my phone before i got this update just FYI. scary. thanks for the information.

  26. Cristina says:

    Alicia,
    This antivirus of urs is free? How can I download it?

  27. Taylor says:

    Problem: Android Trojan
    Solution: Get a Palm Pre 2

    problem solved :)

  28. [...] mobile malware, dubbed Geinimi, which usually poses as gaming applications, has been uploaded onto third-party Chinese Android app [...]

  29. Bebibun says:

    Watchout for Gemini in your Android…

    A new trojan virus was found that attacks the android phone. The virus is called “Gemini”. Gemini originating from China was discovered by mobile security company, one of the company’s Internet security service provider in the United …

  30. Georges says:

    Woaw, great ! And I suppose you are currently selling the antidote ? :O)

  31. alicia says:

    @George, Protection against Geinimi is available in both the free and premium version of Lookout. Thanks for checking in!

  32. alicia says:

    @Cristina, You can download Lookout Free by visiting the Android Market on your phone and searching for Lookout. Alternatively, you can visit the link below, a page on our website, and download Lookout by entering your phone number. This will prompt Lookout to send you an SMS with a link to download Lookout. https://www.mylookout.com/download-mobile-security. Please don’t hesitate to reach out to our support team if you need further help: support at mylookout dot com. Thanks!

  33. [...] a new Android effecting trojan on the war path. Don’t freak out just yet! Mobile security blog LookOut posted about the trojan and its [...]

  34. [...] at the Lookout Mobile Security blog there’s news of a sophisticated new trojan spreading on Android devices. Dubbed Geinimi, the [...]

  35. [...] malware will probably lie there too. Well-funded mobile security startup Lookout has just posted a blog entry detailing what it calls “the most sophisticated Android malware to date”: a Trojan that’s [...]

  36. Paul Jakma says:

    FWIW, at least a few Chinese Android devices are not “Google TM” Android, and so do not have access to the official Google Android store. Instead they come pre-configured with some alternative, 3rd party store. E.g. the version of Android shipped on the Eken tablets, which I gather also ships on a number of other Chinese devices.

  37. [...] the heels of the Geinimi Trojan, Lookout has discovered a new Android Trojan that is repackaged in popular Android apps and [...]

  38. [...] Threat: On the heels of the Geinimi Trojan, Lookout has discovered a new Android Trojan that is repackaged in popular Android apps and [...]

  39. [...] malware which targets the Android platform, and displays botnet like characteristics. (See this blog at Lookout Mobile Security for more information). Geinimi originated in China, and also harvests [...]

  40. Don’t really understand it though, but Appreciation for trying to explain it. Appreciate you shedding light on this matter. keep up your work.

  41. # 1 Registry clreaner, Dont waste your time with all the junk fix your computer properly the first time.<a href=”http://www.registryscleaner.com”>registry cleanup tool

  42. Usbe says:

    [...] Link [...]

  43. [...] Sanix in Gadgets,Security on January 5, 2011 /* */ A new trojan has recently been discovered which is affecting the Android mobile Operating System. Android is an Open-Source [...]

Leave a comment