Android Trojan Emerges In U.S. Download Sites

Top 10 Security Stories Of 2010

Recently discovered Android Trojan software is more pervasive than security researchers originally believed. Dubbed Geinimi, the malware can siphon user data from an Android device and route it to remote servers for retrieval by attackers.

Mobile security firm Lookout discovered the malware last week, noting that legitimate games such as Monkey Jump 2, President vs. Aliens, and Baseball Superstars 2010 had been modified with the Trojan to request many more permissions than the original games required. Lookout said the software was available from third-party Android app stores located in China.

But on Wednesday, Symantec researcher Irfan Asrar said that "samples of the threat have found their way into North American and European hosted download sites as well in BitTorrent hosted collections of pirated games." He said that the attack still appeared designed to target Chinese Android smartphones, and that servers used to receive stolen data were still located in that region. What likely happened, he said, is that the original modified applications, which are popular, were simply picked up by other sites.

Asrar said that the Geinimi malware itself isn't revolutionary, per se, though it does a good job of applying innate Android capabilities for attack purposes. "A detailed analysis of this threat serves more as a testament to the ease of developing sophisticated code on a platform with good framework support than it does to establish any groundbreaking threat vectors," he said.

But the Android attack code is still effective. In particular, Asrar said that Geinimi can process more than 20 commands, connect with 11 different Web sites -- their locations were encrypted using DES -- and has its code obfuscated to make signature-based detection and reverse-engineering difficult.

"This does hint of an evolution in the Android threat landscape," he said.

Users of third-party download sites or pirated software are at risk, while Android Market users are not, because while the real and modified apps may look the same to end users, their underlying package names actually differ. Since Google requires package names to remain consistent from one version of an application to another -- so that it can accurately issue updates or revoke applications -- the modified code wouldn't pass muster, said Asrar.