Android Trojan with botnet capabilities found in the wild
A new, more sophisticated Trojan for Android devices has been spotting lurking on third-party Chinese Android app markets – the first ever piece of Android malware that has the capability to receive instructions from a remote server and thus become part of a botnet.
Dubbed “Geinimi”, the Trojan is attached to (obviously compromised) versions of legitimate applications – mostly games such as Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.
So far, it has only been spotted being distributed through third-party Chinese app stores. Versions of these applications on the official Google Android Market have not been compromised.
When the affected application is installed on the device, it requires the user to give more permissions that it would usually need. Geinimi them kicks into action, harvests the device’s location coordinates, the IMEI and IMSI (unique identifiers for the device and the SIM card), and transmits that information to a remote server via a number of hard-coded domain names.
Until now, the server hasn’t been spotted sending instructions to the Trojan, so its final purpose is not yet clear.
It is known, though, that it can download and prompt the user to install an app, prompt him to uninstall an app, and transmit a list of all the installed apps on the device to the aforementioned server.
Lookout’s researchers say that Geinimi also uses obfuscation techniques to hide its activities, so it will be more difficult to spot.
But users in general should suspect their devices of being infected by mobile malware if the phone presents unusual behavior such as automatic SMS sending to unknown recipients, automatic phone calls, stealthy installation of unknown applications, etc.
An occasional check of outbound calls and SMSs and of installed applications should become a habit for users.