The Register® — Biting the hand that feeds IT

Feeds

Chinese bot will slurp your Droid

Evil 'game' can also zombenate victims

By John Leyden, 31st December 2010
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

A Trojan capable of stealing data from infected Android smartphones, and bundled with botnet-style functionality, has appeared in China.

The mobile malware, dubbed Geinimi, which usually poses as gaming applications, has been uploaded onto third-party Chinese Android app markets. If installed, the malware sends personal data from compromised devices (specifically device identifiers, location information and list of installed applications) to a remote server.

Geinimi is also capable of receiving commands from remote servers controlled by hackers, this botnet-style functionality together with the use of code obfuscation techniques leads mobile security firm Lookout to describe the malware as the most sophisticated to appear on Android devices to date. This botnet control functionality is yet to be applied so the precise purpose of the malware remains unclear.

The very small number of Android infecting malware strains detected to date have included a Trojan capable of sending SMS messages to premium-rate numbers from compromised devices. The Trojan, which affected an unknown number of users, appeared on Russian-language sites offering pornographic video clips.

Both the Russian and Chinese Android Trojans relied on exploiting user searches for warez. Each of the Android malware strains was regionally targeted, and posed no risk to users who only downloaded apps from recognised sources.

Lookout, a mobile malware specialist that recently secured $19.5m in additional funding, sells anti-virus software for Android devices, hence its understandable interest in drawing attention to the Chinese malware. Alternative Android anti-virus apps exist, including alternative commercial software packages from likes of Symantec and Kaspersky as well as DroidSecurity's ad-supported antivirus app for Android handsets. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (5)
Highly Rated
Anonymous Coward
Anonymous Coward

Some background info

The trojan's name is Geinimi or GeiNiMi (gay-nee-mee, 给你米), translated as "to give you rice" ("mi" could also mean metre). I see it in written contexts that may mean "to gain for you". Traditionally, Chinese idioms are four characters. I'm not a native Chinese speaker, but one source says this is a relatively new, modern idiom for "I give you my rice" (a quintessential Chinese staple), as in pushing or forcing it on them, implying the person doesn't rate or can't afford even rice, that they are a worthless member of society and pitiful.

This made CNET news in China on 2010-12-03 (http://www.cnetnews.com.cn/2010/1203/1956595.shtml) after it was publicized by NetQin (网秦, http://www.netqin.com), a mobile device security company in China who seems to be the first to identify it on 2010-11-26 (http://virus.netqin.com/android/BIT.GeiNiMi.A/). Their relation, if any, to Lookout Mobile Security who publicized the existence of the trojan in English-speaking markets, is unclear. I'm glad people in other parts of the world are being made aware. Rogue mobile apps, insecure apps, and trojans are a threat to virtually everyone.

This seems related to reports of backdoors in games for the Andoid platform as far back as 2010-10-27 (http://bbs.gfan.com/android-280850-1-1.html).

On one page of the Gfan site (http://bbs.gfan.com/android-283253-1-1.html), a user claimed that this is a trojan (or "implant") developed by an unscrupulous firm related to spamming and located in the Caohejing Development Zone, Shanghai. That user pointed a link a link to the website at geinimi.com, and there is an IIS webserver there, but it looks like all content has been deleted.

1
0
Tigra 07
Reply Icon

RE: AC

I got voted down last time i asked people to actually read what permissions something wanted.

It should really be common sense!

0
0
Anonymous Coward

so it steals phone identifiers and location information ...

Judging from the permission requests, most of the apps in the google app store already collect and send out this information. At least from the app reviews in the store, most users are hardly ever concerned with these permissions. Even when they are, they seem to serenely accept very improbable explanations from developers for why they need a certain privilege. There isn't much privacy on Android (or iphone for that matter), the only new angle here is the botnet capability.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15