Home / malware Trojan.Android.Geinimi.A
First posted on 21 November 2011.
Source: BitDefenderAliases :
Trojan.Android.Geinimi.A is also known as Trojan-Spy.AndroidOS.Geinimi.a, AndroidOS_GEINIMI.A, Android/Geinimi.
Explanation :
Geinimi is one of the first trojan families for the Android platform. It can be found hidden in various popular and legitimate android games and applications. So far, the first version of this family has been seen bundled in apps like:
Monkey Jump 2 (com.dseffects.MonkeyJump2)Sex Positions Social (com.swampy.sexpos)Aliens vs. President (com.computertimeco.android.alienspresident)
Malware authors seem to have taken these applications, added their code and redistribute them over third party android markets and file sharing sites. There have been no sign of geinimi infected apps in the official google android market.
One of the user visible difference between the original and infected version of an application, which can be seen before installing the app is the list of required permissions. Among these, the most important and dangerous are:
android.permission.READ_SMSandroid.permission.SEND_SMSandroid.permission.RECEIVE_SMSandroid.permission.WRITE_SMS
these permissions allows the geinimi trojan full access to user's SMS thus the trojan can read existing sms, send new ones, be notified when a new sms is received.
android.permission.CALL_PHONE
this permission allows the trojan to initiate a phone call without requiring any input from the user
android.permission.ACCESS_FINE_LOCATIONandroid.permission.ACCESS_COARSE_LOCATION
these permissions allows the trojan to have access to cell ID, or even more accurate, GPS position of the user's mobile
android.permission.RESTART_PACKAGES
this permission (currently deprecated) allowed the trojan to kill all background processes related to a given package name
The trojan is composed out of three components:
an activity, android:name="[g_pkg].c.rufCuAtj"a service, android:name="[g_pkg].c.AndroidIME"a broadcast receiver, android:name="[g_pkg].f"
[g_pkg] is a string composed out of the original app package name and a substring of it's last component:
ex. com.dseffects.MonkeyJump2 -> com.dseffects.MonkeyJump2.jump2
The activity is started when the user clicks the infected app's icon. This activity is responsible also for starting the service component and the original app's activity.
The broadcast receiver is started when a new sms message is received.
As a payload, geinimi sends private information (IMEI, IMSI, location etc.) to a remote server. From the server it listens for various commands like: send/read sms, send contacts details, initiate calls, install/uninstall apps, open urls.Last update 21 November 2011