Loading ...
Sorry, an error occurred while loading the content.

Additional info on Geinimi

Expand Messages
  • suesarkis@aol.com
    _Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild_ (http://blog.mylookout.com/2010/12/geinimi_trojan/) The Threat: A new Trojan
    Message 1 of 1 , Jan 3, 2011
      _Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild_
      The Threat:
      A new Trojan affecting Android devices has recently emerged in China.
      Dubbed “Geinimi” based on its first known incarnation, this Trojan can
      compromise a significant amount of personal data on a user’s phone and send it to
      remote servers. The most sophisticated Android malware we’ve seen to date,
      Geinimi is also the first Android malware in the wild that displays
      botnet-like capabilities. Once the malware is installed on a user’s phone, it has
      the potential to receive commands from a remote server that allow the owner
      of that server to control the phone.
      Geinimi is effectively being “grafted” onto repackaged versions of
      legitimate applications, primarily games, and distributed in third-party Chinese
      Android app markets. The affected applications request extensive permissions
      over and above the set that is requested by their legitimate original
      versions. Though the intent of this Trojan isn’t entirely clear, the
      possibilities for intent range from a malicious ad-network to an attempt to create
      an Android botnet.
      Lookout has already delivered an update for its Android users to protect
      them against known instances of the Trojan. If you are already a Lookout user
      (free or premium), you are protected and no action is needed.
      How it Works:
      When a host application containing Geinimi is launched on a user’s phone,
      the Trojan runs in the background and collects significant information that
      can compromise a user’s privacy. The specific information it collects
      includes location coordinates and unique identifiers for the device (IMEI) and
      SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a
      remote server using one of ten embedded domain names. A subset of the
      domain names includes www.widifu.com, www.udaore.com, www.frijd.com,
      www.islpast.com and www.piajesj.com. If it connects, Geinimi transmits collected
      device information to the remote server.
      Though we have seen Geinimi communicate with a live server and transmit
      device data, we have yet to observe a fully operational control server sending
      commands back to the Trojan. Our analysis of Geinimi’s code is ongoing but
      we have evidence of the following capabilities:
      * Send location coordinates (fine location)
      * Send device identifiers (IMEI and IMSI)
      * Download and prompt the user to install an app
      * Prompt the user to uninstall an app
      * Enumerate and send a list of installed apps to the server
      While Geinimi can remotely initiate an app to be downloaded or uninstalled
      on a phone, a user still needs to confirm the installation or
      Geinimi’s author(s) have raised the sophistication bar significantly over
      and above previously observed Android malware by employing techniques to
      obfuscate its activities. In addition to using an off-the-shelf bytecode
      obfuscator, significant chunks of command-and-control data are encrypted. While
      the techniques were easily identified and failed to thwart analysis, they
      did substantially increase the level of effort required to analyze the
      malware. The Lookout Security team is continuing to analyze capabilities of new
      and existing Geinimi variants and will provide more information as we
      uncover it.
      Who is affected?
      Currently we only have evidence that Geinimi is distributed through
      third-party Chinese app stores. To download an app from a third-party app store,
      Android users need to enable the installation of apps from “Unknown sources”
      (often called “sideloading”). Geinimi could be packaged into
      applications for Android phones in other geographic regions. We have not seen any
      applications compromised by the Geinimi Trojan in the official Google Android
      There are a number of applications—typically games—we have seen repackaged
      with the Geinimi Trojan and posted in Chinese app stores, including Monkey
      Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball
      Superstars 2010. It is important to remember that even though there are
      instances of the games repackaged with the Trojan, the original versions
      available in the official Google Android Market have not been affected. As the
      Lookout team finds more variants of the Geinimi Trojan grafted onto legitimate
      applications, we’ll provide timely updates.
      As stated above, Lookout has already delivered an update for its Android
      users to protect them against known instances of the Trojan.
      How to Stay Safe:
      * Only download applications from trusted sources, such as reputable
      application markets. Remember to look at the developer name, reviews, and
      star ratings.
      * Always check the permissions an app requests. Use common sense to
      ensure that the permissions an app requests match the features the app
      * Be aware that unusual behavior on your phone could be a sign that
      your phone is infected. Unusual behaviors include: unknown applications
      being installed without your knowledge, SMS messages being automatically sent
      to unknown recipients, or phone calls automatically being placed without you
      initiating them.
      * Download a mobile security app for your phone that scans every app
      you download. Lookout users automatically receive protection against this
      With the discovery of this new malware, it is more important than ever to
      pay attention to what you’re downloading. Stay alert and ensure that you
      trust every app you download. Stay tuned for more details on this threat.

      [Non-text portions of this message have been removed]
    Your message has been successfully submitted and would be delivered to recipients shortly.