Named Geinimi, it's the most sophisticated Android malware to date. Its impact is apparently limited as to infected apps available only on Chinese Android app markets. That’s not to say it couldn’t be packaged into other geographic regions, but that it hasn’t been done as of yet.
The compromised list of applications includes Monkey Jump 2, President vs. Aliens, City Defense and Baseball Superstars 2010. The original versions in the official Android market are not affected. It's spread by being grafted onto repackaged versions of legitimate applications which are then distributed in Chinese Android applications markets. The compromised applications request extensive permissions and once installed on a android phone, Geinimi can send personal data off the phone and accept commands from the remote control server.
When the application is launched, the Trojan lurks deep in the background, collecting user information - location coordinates, the phone’s unique IMEI and SIM identifiers. At 5-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server. Geinimi communicates currently with 10 domain names, including widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com.
Based on the analysis of the malware code, the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and to send a list of installed apps to the server.
Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls. Users should also download applications only from reputable app markets, and check what permissions the app wants to ensure the request matches the app’s features.
The malware authors have definitely "raised the bar" Geinimi obfuscates its activities by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code, and encrypting significant chunks of command-and-control data to substantially increase the effort required to analyze it.
When the application is launched, the Trojan lurks deep in the background, collecting user information - location coordinates, the phone’s unique IMEI and SIM identifiers. At 5-minute intervals, Geinimi attempts to connect to a remote server to transmit collected data to the remote server. Geinimi communicates currently with 10 domain names, including widifu.com, udaore.com, frijd.com, islpast.com and piajesj.com.
Based on the analysis of the malware code, the Trojan also has the capability to download and prompt the user to install an app, prompt the user to uninstall an app, and to send a list of installed apps to the server.
Since Geinimi still requires the user to confirm adding or removing an app, users should be vigilant and be aware of all installs and uninstalls. Users should also download applications only from reputable app markets, and check what permissions the app wants to ensure the request matches the app’s features.
The malware authors have definitely "raised the bar" Geinimi obfuscates its activities by using an off-the-shelf byte obfuscator, which makes it hard to decompile the code, and encrypting significant chunks of command-and-control data to substantially increase the effort required to analyze it.
No comments:
Post a Comment