The Geinimi trojan is also the first Android malware in the wild that displays botnet-like capabilities, a Lookout blog said. Once it is installed on the phone, it has the potential to receive commands from a remote server, enabling the owner of the server to control the phone.
Geinimi is grafted onto repackaged versions of legitimate smartphone applications and distributed in third-party Android app markets in China. So far, Lookout has not seen any compromised applications in the official Google Android app market.
The applications that contain the trojan usually are video games, such as Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010, the blog said.
When a host application containing the trojan is launched on a user’s Android phone, the malware runs in the background, collects sensitive information, and downloads it to a remote server, the blog explained.
Lookout said that the trojan can send location coordinates and device identifiers, download and prompt the user to install an app, prompt the user to uninstall an app, and enumerate and send a list of installed apps to the server.
The Geinimi trojan is able hide its activities from the user through a number of sophisticated techniques. “In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware”, the blog said.
Lookout recommends that Android users take a number of precautions to prevent infection: only download applications from trusted sources, always check the permissions of app requests, be aware of unusual behavior on the phone, and download a mobile security app for the phone.