Android Trojan Emerges In U.S. Download Sites

Games infected with botnet-like Geinimi attack code have spread to third-party U.S. and European sites as well as BitTorrent hosted collections, finds Symantec.

By Mathew J. Schwartz   InformationWeek
January 06, 2011 12:57 PM

Top 10 Security Stories Of 2010
(click image for larger view)
Slideshow: Top 10 Security Stories Of 2010
Recently discovered Android Trojan software is more pervasive than security researchers originally believed. Dubbed Geinimi, the malware can siphon user data from an Android device and route it to remote servers for retrieval by attackers.

Mobile security firm Lookout discovered the malware last week, noting that legitimate games such as Monkey Jump 2, President vs. Aliens, and Baseball Superstars 2010 had been modified with the Trojan to request many more permissions than the original games required. Lookout said the software was available from third-party Android app stores located in China.


More Hardware Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

But on Wednesday, Symantec researcher Irfan Asrar said that "samples of the threat have found their way into North American and European hosted download sites as well in BitTorrent hosted collections of pirated games." He said that the attack still appeared designed to target Chinese Android smartphones, and that servers used to receive stolen data were still located in that region. What likely happened, he said, is that the original modified applications, which are popular, were simply picked up by other sites.

Asrar said that the Geinimi malware itself isn't revolutionary, per se, though it does a good job of applying innate Android capabilities for attack purposes. "A detailed analysis of this threat serves more as a testament to the ease of developing sophisticated code on a platform with good framework support than it does to establish any groundbreaking threat vectors," he said.

But the Android attack code is still effective. In particular, Asrar said that Geinimi can process more than 20 commands, connect with 11 different Web sites -- their locations were encrypted using DES -- and has its code obfuscated to make signature-based detection and reverse-engineering difficult.

"This does hint of an evolution in the Android threat landscape," he said.

Users of third-party download sites or pirated software are at risk, while Android Market users are not, because while the real and modified apps may look the same to end users, their underlying package names actually differ. Since Google requires package names to remain consistent from one version of an application to another -- so that it can accurately issue updates or revoke applications -- the modified code wouldn't pass muster, said Asrar.

InformationWeek has published an in-depth report on hardening next-gen Web applications. Download it now (free registration required).

, join the conversation

Related Reading

News

Most Popular

Commentary

On the Web

More On the Web»

Video

Slideshow



Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS

Resource Links