14 DAY TRIAL // Researchers from mobile security provider Lookout have identified a new Android trojan capable of connecting to a remote server and receiving instructions.
Dubbed Geinimi, the trojan was discovered in China and is currently being distributed from local Android app markets. This means it can only infect devices with the sideloading option enabled.
The trojan is delivered as repackaged versions of popular applications, especially games like Monkey Jump 2, President vs. Aliens, City Defense or Baseball Superstars 2010.
These rogue versions will request a lot more permissions on the device during installation than the original ones.
Once activated, Geinimi attempts to contact several domain names through the phone's Internet connection every five minutes.
If a connection is established, the trojan sends geolocation coordinates and unique device identifiers to the remote server.
Attackers can also order the trojan to generate a list of installed apps and upload it back to them, download additional ones and prompt users to install, as well as uninstall, them.
"Though the intent of this Trojan isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet," writes Timothy Wyatt, a researcher at Lookout.
The trojan could possibly be the most complex Android piece of malware detected in the wild so far. It employs custom bytecode obfuscation and partially encrypts its communication with the C&C server.
"Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware," Wyatt concludes.
Previous Android trojans were mostly of Russian origin and their purpose was to send SMS messages to premium rate numbers without the user's knowledge.
The only mobile malware to display botnet-like capabilities so far was a worm that circulated in November last year and infected jailbroken iPhones.