The good news about Android’s Geinimi Trojan

Yes, the sophisticated Geinimi Trojan horse was specifically coded to target Android-based devices. That’s certainly bad news, but the situation could definitely could be much worse.

As Sophos security expert Graham Cluley notes, the Trojan – which is concealed in repackaged versions of various apps and games – has yet to make into the official Android Market.


“[This] means that you would only have been putting yourself at risk if you installed poisoned software from an unauthorized source,” he explained.

“And researchers at mobile security firm Lookout say they have only seen the software on unofficial Chinese app stores.”

According to Cluely, Android users would have to deliberately alter the settings on their smartphones and tablets to install software from such “unknown sources.”

“So, the sky is not falling – and it’s not the end of the the world as we know it if you love all things Android. [Still], Android users should still be sensible about security.

“Increasingly we are seeing examples of threats which only exist ‘within the browser’ or spreading entirely inside a social network, never touching your smartphone’s operating system. So, there are dangers out there whatever kind of browsing device you are using – [whether] desktop or laptop, mobile or tablet.”

As TG Daily previously reported, Geinimi is capable of harvesting personal data from Android-based devices and transferring it to remote servers.

The trojan has been positively identified in a number of repackaged apps including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

So, how does it work?

Well, when a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects user information including location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names and transmit collected device information to the remote server.

“Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities. In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted,” Lookout security researchers confirmed.

“While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware.”