There's a new Trojan malware found in China that can not only access information on the phone but also can control it. Lookout, security software, reported that a new Trojan dubbed "Geinimi" from app stores in China can
compromise a significant amount of personal data on a user's phone and
send it to remote servers.
The most sophisticated Android malware Lookout has
seen to date, Geinimi is also the first Android malware in the wild that
displays botnet-like capabilities. Once the malware is installed on a
user's phone, it has the potential to receive commands from a remote
server that allows the owner of that server to control the phone.
Geinimi is effectively being "grafted" onto repackaged versions of
legitimate applications, primarily games, and distributed in third-party
Chinese Android app markets. The affected applications request
extensive permissions over and above the set that is requested by their
legitimate original versions. Though the intent of this Trojan isn't
entirely clear, the possibilities for intent range from a malicious ad network to an attempt to create an Android botnet.
Lookout has already delivered an update for its Android users to
protect them against known instances of the Trojan. If you are already a
Lookout user (free or premium), you are protected and no action is
needed.
How it Works:
When a host application containing Geinimi is launched on a user's
phone, the Trojan runs in the background and collects significant
information that can compromise a user's privacy. The specific
information it collects includes location coordinates and unique
identifiers for the device (IMEI) and SIM card (IMSI). At five-minute
intervals, Geinimi attempts to connect to a remote server using one of
ten embedded domain names. A subset of the domain names includes
www.widifu.com, www.udaore.com, www.frijd.com, www.islpast.com, and
www.piajesj.com. If it connects, Geinimi transmits collected device
information to the remote server.
Though Lookout has seen Geinimi communicate with a live server and
transmit device data, they have yet to observe a fully operational control
server sending commands back to the Trojan. Our analysis of Geinimi's
code is ongoing, but Lookout has evidence of the following capabilities:
- Send location coordinates (fine location).
- Send device identifiers (IMEI and IMSI).
- Download and prompt the user to install an app.
- Prompt the user to uninstall an app.
- Enumerate and send a list of installed apps to the server.
While Geinimi can remotely initiate an app to be downloaded or
uninstalled on a phone, a user still needs to confirm the installation
or uninstallation.
Geinimi's author(s) have raised the sophistication bar significantly
over and above previously observed Android malware by employing
techniques to obfuscate its activities. In addition to using an
off-the-shelf bytecode obfuscator, significant chunks of
command-and-control data are encrypted. While the techniques were
easily identified and failed to thwart analysis, they did substantially
increase the level of effort required to analyze the malware.
How to Stay Safe:
- Only download applications from trusted sources, such as
reputable application markets. Remember to look at the developer
name, reviews, and star ratings. - Always check the permissions an app requests. Use common sense
to ensure that the permissions an app requests match the features
the app provides. - Be aware that unusual behavior on your phone could be a sign
that your phone is infected. Unusual behaviors include: unknown
applications being installed without your knowledge, SMS messages
being automatically sent to unknown recipients, or phone calls
automatically being placed without you initiating them. - Download a mobile security app for your phone that scans every
app you download. Lookout users automatically receive protection
against this Trojan.