Pirated Apps Smuggle Trojans Onto Android Phones

A new Trojan that can create botnets has emerged in China, according to Lookout Mobile Security.

This Trojan, dubbed “Geinimi,” is the most sophisticated Android malware so far, the company said.

Once it’s installed on a user’s phone, Geinimi can receive commands from a remote server that lets that server’s owner control the smartphone.

Geinimi is apparently being spread through pirated versions of legitimate Android apps, mainly games, and is being distributed in third-party Android app stores in China.

How Geinimi Works

When a smartphone user launches an infected application containing Geinimi, the Trojan collects information in the background.

This information includes location coordinates and unique identifiers for the device and its SIM card, Lookout Mobile said.

Every five minutes, the Trojan tries to connect to a remote server using one of 10 embedded domain names. These domain names include;;; and, according to the security company.

If Geinimi manages to connect to the remote server, it will upload information it collected. The Trojan also prompts the user to uninstall an app, and it sends a list of installed apps to the remote server, Lookout Mobile said.

The malware’s creators have used an off-the-shelf bytecode obfuscator to hide the code and have encrypted some of the command-and-control data. This data comes into play when the Trojan connects back from a victim’s smartphone to the remote server.

Where the Virus Lurks

Pirated applications that include the Trojan that are available in Chinese app stores include “Monkey Jump 2;” “Sex Positions;” “President vs. Aliens;” “City Defense;” and “Baseball Superstars 2010,” Lookout Mobile said.

However the original versions of these apps that are in the official Google Android Market have not been affected, Lookout Mobile said.

“The Trojan is an add-on, so it could be uploaded to any app on the Android Market, but so far the infected apps have only shown up in the Chinese app markets,” Kevin Mahaffey, chief technology officer at Lookout Mobile, told TechNewsWorld.

“We contacted the developers, and they didn’t know this was going on or that their games were being pirated,” Mahaffey added.

Green Isn’t Always Good

“We see the exact same thing with software for Windows in China all the time,” Chester Wisniewski, a senior security adviser at Sophos, told TechNewsWorld.

“The malware authors convert legitimate Windows apps into adware and offer it for free, and it wouldn’t surprise me if they took the same approach with Android,” Wisniewski explained. “There’s a term in Chinese that translates to something like ‘green software,’ and that refers to pirated versions of software.”

About 80 percent of so-called green software on websites in China contain malware, Wisniewski said.

No Sailing the 7 Seas Yet

Geinimi was discovered on a user forum in China, Lookout Mobile’s Mahaffey said.

While the malware currently affects only users in China, it could well spread elsewhere.

“Mobile devices have a fairly international user base, and there’s a lot of cross-pollination of apps,” Mahaffey pointed out. “But so far, the market is still localized.”

Google can easily prevent the spread of the Trojan by kicking the app off Android, Randy Abrams, director of technical education at ESET, pointed out. “Why hasn’t Google done anything yet?” he asked.

Google didn’t respond to requests for comment by press time.

A Smartphone Is Not Just a Phone

Smartphone users need to realize that their devices are “really powerful little computers,” ESET’s Abrams told TechNewsWorld.

For example, Android-based smartphones can be used to launch distributed denial of service (DDoS) attacks against websites, Abrams said.

“Right now, people are constantly installing apps that tell you they will access the Internet, or send and receive text messages, or send and receive email,” Abrams pointed out. “These apps are paid for by advertising. The Trojan takes things one step further in that it can create a botnet. But in terms of giving up privacy, people are already doing that by installing free games and apps.”

Android offers users two types of protection, Lookout Mobile’s Mahaffey said. One is that the apps users download must ask for permission if they want to access any of the operating system’s features.

The other type of protection blocks sideloading, which is the technical term for users downloading apps from unknown sources. In order to download pirated apps, which may contain the Geinimi Trojan, Android smartphone owners need to turn off sideloading protection, Mahaffey said.

That’s exactly what they shouldn’t do; after all, they don’t turn antivirus off on their PCs before downloading applications.

“Treat your smartphone like you would your PC, and make sure that all the things you safeguard on your PC you safeguard on your smartphone,” Mahaffey stated.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Malware

Technewsworld Channels