Android Trojan Found, Spreading From Chinese App Stores

wiredmikey writes that researchers from Lookout Mobile have discovered a sophisticated Trojan targeting Android devices. "The company says the mobile malware is 'The most sophisticated Android malware we've seen to date. Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user's phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.' What makes the Trojan different from most 'standard' mobile malware is that Geinimi is being 'grafted' onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets."

First post

[GameboyRMH]

Posting from my Androi^B^B BUY HERBAL VIAGRA

Re:

[mark72005]

Certainly, the average doofus who bought "one of those smartphones" will be able to follow all those directions.

Re:

[shutdown -p now]

The average doofus wouldn't be downloading APKs from Chinese warez sites in the first place. He'd just be using Android Market.

Re:

[FredFredrickson]

I think you missed mark's point... the fix for this won't be easily deployed for anybody except slashdotters.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[BronsCon]

I shouldn't reply to the troll, but...

10 x .999 = 9.990

Therefore:
a = .999
10a = 9.990
10a - a = 9.990 - .999
9a = 8.991
a=.999

Re:

[thej1nx]

If the windows calculator tells you that 10 x .999 = 9.999, I think you'd better learn to use the calculator first.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ZenDragon]

Nobody cares man. Please go away.

Re:

[RocketRabbit]

A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. In fact, I never would have considered trying to use it for ddefending against viruses or malware. But computer without "locally administered DNS poisoning" is ill equipped to be on the Internet these days unless you like herbal Viagra ads.

Re:Easy to stop, & how to do so... apk

[icebike]

ANDROID OS allows for the usage of custom HOSTS files,

None of that is necessary. Why even post this crap?

Simply load your apps from the Android market instead of dodgy Chinese warz sites.

Re:

[DrXym]

Exactly. If you download apps from some dodgy warez site you will receive absolutely everything you expect and deserve.

Re:

[gilesjuk]

But that's the reason people buy Android phones, to have the freedom to do stupid things and install dodgy software?

Re:

[Pieroxy]

But that's the reason people buy Android phones, to have the freedom to do stupid things and install dodgy software?

Right on. Choose your store, choose your virus. Android is much more of a general computing platform than iOS will ever be. And that's not always a good thing.

Re:

[bonch]

I thought the point of Android was that it was totally open and free?

Re:

[h4rr4r]

It won't. What will is a simple wipe to factory settings. Then the user just logs back in and this time only installs apps from reputable apps stores.

Re:

[cmdr_tofu]

Yeah because as we know malware authors are unsophisticated and easy to predict. They would never do anything like incrementing a number in a hostname www255.frigd.com www256.frigd.com. Why do you post nonsense as Anonymous Coward and sign as APK?

Re:

[CommunistHamster]

What if someone makes malware to make the phone dial premium-rate telephone numbers? Is this the return of the autodialler-type-virus?

Re:

[catmistake]

Ok, that's dynamite, Dino. Huh... HOSTS file. Yeah... just edit that on all you *nix devices and you're golden. Or you could run your own DNS... far less mucking about with adjusting HOSTS files like some square throwback admin from 1974. YMMV

Re:

[catmistake]

LMAO - I didnt say run the DNS on Android haha! Just run it SOMEWHERE. If you have a single *nix machine, mucking with the hosts file is fine. After you get a few machines, it gets old... fast.

Re:

[catmistake]

I can do that too. But you mislead... it's complicated... it's far more complex keeping track of many systems in an enterprise THAN A SINGLE DNS SERVER that you control. But you go ahead... party like it's 1974.

Re:

[catmistake]

FYI just so you know, that ac was a troll... I think you prolly picked up on that. Anyhoo, sticking to my guns here... configuring a single DNS is far less complicated than making sure 1000 computers have a the correct HOSTS file. You're way is perfectly valid... and when dealing with a handful of machines, I defer often to that method. But you're not thinking clearly if you believe wrangling 1000 HOSTS files (by whatever method you believe is as easy as breathing) is superior to one single DNS.

Re:

[cmdr_tofu]

So your solution to malware is to have users jailbreak/root their phones, and put in a bogus hosts file so that the malware cannot resolve its "control server"? And you think that's solved the problem?

Ok so what if the botnet uses IP addresses? Or the user does not have root access on their phone. Last and most important, your solution requires the user to know something about the malicious software they are installing specifically what hostnames it would try to resolve, before installing it. If the user

Re:

[cmdr_tofu]

http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34715272

Read that, it covers your points on this quote from you:

"Ok so what if the botnet uses IP addresses?" - by cmdr_tofu (826352) on Thursday December 30, @05:44PM (#34715798)

Sorry saying that malware writers "generally" don't use IP addresses, does not mean you can trust that they never will as a form of security.

"Or the user does not have root access on their phone" - by cmdr_tofu (826352) on Thursday December 30, @05:44PM (#34715798)

That's WHY I had to use ADB for Android (dev tools are the 'secret' here & they're free, afaik @ least, for phones!)

---

ADB does not give you a rootshell. It's not a secret. The dev tools are easily available from http://developer.android.com./ [developer.android.com] If you get a shell with adb on a non rooted device, I think you will have a tough time writing to /etc/hosts

People:

1.) Make mistakes

2.) Folks get "lured" into clicking on URL's that MIGHT be "bad ones" (tiny URL for example? It "backfires" here, imo @ least)... especially from folks you "trust"

3.) You might "let your guard down"?

There's others, those are just some "possibles"... offhand, on "short-notice" etc.! apk

Clicking a url, is not the same as installing an application, unless there are some serious software vulnerabilities I don't know about

Re:

[Pharmboy]

In a hosts file, don't you normally assign 127.0.0.1 (localhost) instead of 0.0.0.0 (default router/every ip)? Or is it different for phones for some reason?

Re:

[Pharmboy]

Speaking on behalf of everyone here, you are an idiot.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Tanktalus]

Side note: if the malware authors want a way around this, they can do one of a number of things:

• Query a specific nameserver (e.g., 8.8.8.8) instead of relying on the OS to resolve. Will be slower, but will bypass the hosts file.
• Just embed the destination IP address (obvious con: harder to move once caught/dismantled).

At least, that's off the top of my head.

It's always best, no matter the OS, to only install software from reputable sources. Admittedly, that's easier said than done as a general rule. In t

Re:

[RyuuzakiTetsuya]

yes, but owning an iOS device also means I can bait APK.

Re:

[node 3]

iOS is not invulnerable.

Nobody said it was. In your reply, you make the points that absolutely nothing is invulnerable, and that iOS is less vulnerable than Android, which supports, not refutes, the OP.

It's strange that whenever there are Android malware stories, or jailbroken iOS malware stories, that there are always posts saying that "iOS has vulnerabilities too, and all systems are insecure". Yet somehow, every single time it's not unhacked-iOS that gets the malware.

Inherently, Android is less secure than iOS. This is due to d

Re:

[node 3]

If you buy an Android and want to take security seriously, you stick to known websites to get your apps from, preferably just the Android Store. You simply don't go to warez.r.us.cn and load pirated/cracked apps. Stick to known good sites, and you're as secure as iOS.

If you buy an iOS device and want to load cracked apps, jailbreak it. Jailbreak it, and you're as insecure as everyone else.

Sure, if you go out of your way to make iOS insecure, and go out of your way to be secure on Android, you can be safer on Android.

But in their default states, and their intended usage patterns, iOS is more secure than Android.

The most dangerous insecurity is the illusion of security,

It is not an illusion. There have been no trojans/viruses/worms for non-jailbroken iOS devices. There have been some for jailbroken iOS devices and for Android phones.

People have been making the same claim about Mac OS X for a decade now, yet the deluge of OS X malware has failed to ma

ummm...

[snugge]

...no link?

Re:

[mcgrew]

Here you go. [cnet.com] And here's a better one. [gizmodo.com]

I guess RTFA went out the window entirely...

[AltairDusk]

Here's the story on the Lookout Blog. [mylookout.com]

Re:

[frinkster]

Thank you for the link... The blog post says that the Trojan can "control" the phone but nowhere does it say that "control" means anything other than prompting the user to install or delete other applications.

Re:

[Arivia]

You need a new grammar file.

And that's why children,

[Anonymous Coward]

proper code signing (and not letting unsigned code run) is important.

Re:

[bigredradio]

So do you always end your posts with "you're completely pathetic"? A little humility might suit you better. you're completely pathetic.

The problem with buying from Chinese app stores

[Anonymous Coward]

An hour later and you're hungry for privacy again.

Not "malware"

[Anonymous Coward]

Lookout Mobile appears to be in the process of trying to redefine "malware" to mean "software that sends more data about a phone to a remote server than Lookout think it should". This is not the standard definition of malware that we all know and love.

This Android "trojan" is not like regular viruses from the PC world in many ways. It cannot resist uninstallation. It cannot infect other applications. It cannot lie about what it will do - the permission screen states quite clearly what the apps in question have access to. It cannot steal your passwords or bank details.

There are legitimate questions to ask about apps that send phone IDs surreptitiously to some remote people, but calling these apps "trojans" or "malware" is dangerous, it makes people think they need a virus scanner for their phone when in reality they don't. That's exactly what "Lookout" want of course but it's no reason to believe them.

Re:

[owlstead]

If the software tries to send information without explicit consent from the user in one way or another, it's malware. Some of that information may be implicit (e.g. pointing out updates, retrieving news for a news application, sharing high-scores for games). Sending out personal information while the application is not meant for that information to be send is clearly malicious. If a program is designed to send information maliciously, isn't it malware (== malicious software) by definition?

Re:

[Riceballsan]

I believe the point is, it does have to get explicit permission when it is installed, the android prompts you when installing it asking Do you want to give this application access to Storage, Contact list, GPS cordinates, Internet access etc etc...
It is like a robber that has to knock on your door and ask you to give him your wallet, keys and laptop.

Re:

[owlstead]

It does so while giving you false information. Believe me, those kind of robbers are as common as the one that are breaking down your door, and can actually do way more damage. Or are you claiming that everybody that knocks on your door (or better, some unsuspecting elderly person) is to be trusted?

Re:

[abhi_beckert]

This *is* malware. From TFA:

"Once the malware is installed on a user's phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone."

From wikipedia:

"A Trojan horse, or Trojan, is malware that appears to perform a desirable function for the user prior to run or install but instead facilitates unauthorized access to the user's computer system."

This a textbook example of real malware.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[owlstead]

Mweh, I haven't had much need to go outside the Google Market to be honest. If I did, it was for some demo code or specialized geeky application which I don't think they will ever target. I don't think most people will visit such sites or share apps with friends (I get loads of tips on apps, but they are by name only, and I look them up / check them out in the Google Market myself). I cannot see anybody visiting Chinese app stores unless they are linked up with them by a Chinese provider.

Sounds like an INSIDE job...

[Frosty Piss]

This "well crafted" and "sophisticated" thing is attached to pirated games? Who's to say the game companies themselves didn't build and plant these to discourage pirated game use?

"Android Trojan Found"?

[RevWaldo]

EWWWW!! It was in the back of the machine shop? And it was covered in WD40? EWWWWW!!1!

.

Re:"Android Trojan Found"?

[localman57]

Really? I just saw a very distressed electric sheep running out the back door...

Re:

[DoomHamster]

Really? I just saw a very distressed electric sheep running out the back door...

Ewe......

Link to Post

[wiredmikey]

http://blog.mylookout.com/2010/12/geinimi_trojan/ [mylookout.com] -- From the myLookout Blog who made the discovery

Sorry, Android still rocks

[nicholas22]

Even if fanbois from various camps jump with joy/sorrow with the news, I still think that the open model that Android brought to the mobile world will be much more beneficial for everyone (end users, developers, companies, etc.) in the long run, all things considered. People saying that the Apple model is better than Android's are not realizing this.

Re:

[RocketRabbit]

Speaking of "fanbois" I don't believe anybody really claimed anything about Apple's phones yet. We won't let that ruin your day, though, so go ahead and troll on sister.

Re:

[thestudio_bob]

I still think that the open model that Android brought to the mobile world will be much more beneficial for everyone...

Beneficial in what sense? Not trying to be a troll, just curious. Personally, I think there should be both open/closed systems, it spurs innovation. But perhaps you have another take.

Anti-malware?

[kungfugleek]

So is anti-virus/anti-malware worth installing on an Android phone? Because, yeah, I don't like installing apps that ask for permissions, but it seems like almost every app asks for "Full Internet Access," at least. I can't always tell the good ones from the bad. Would a free anti-malware app help or is it just a waste of time?

Re:

[Kenja]

If your installing apps from a suspicious third party store operating out of China odds are that anti-virus software wont do you any good.

Re:

[RevWaldo]

It's the ad-supported free versions of apps that ask for Full Internet Access. Or you can crowbar a dollar out of your wallet and get the "standalone" version.

.

WTFA?

[Suzuran]

Where's The Fucking Article?

What The Fuck,Aye?

Punch Yourself in The Genitals ?:

[bl8n8r]

FTFA under "How it works":
* Download and prompt the user to install an app
* Prompt the user to uninstall an app

Question: If you were asked to punch yourself in the genitals, would you still click "Ok" ?

FTFA under "How to stay safe":
* Only download applications from trusted sources
* Always check the permissions an app requests

I think it's pretty obvious the malware writers were not able to circumvent the normal Android security measures to get the software installed.  The problem is that people who don't take responsibility to keep crap off their phones are going to get pwn3d.  Big surprise.

This is why....

[WindBourne]

I am not downloading ANY apps from CHina. You have to be an idiot to grab them.

can you feel the FUD coming?

[Zarf]

I can feel the FUD storm building...

You may not have a choice

[roc97007]

Awhile back I was looking at cheap Android devices for something that would play movies for long trips. There are many cheap (sub-$200) Android tablets out there that (probably for licensing reasons) do not have access to the Android marketplace. The literature says "you can download thousands of apps from other sources".

I'm thinking the great majority of the devices pwned by this virus will be of this cheap variety.

Re:

[AliasMarlowe]

AFAIK, Google does not approve of Android use on tablets, and tries to limit "official" access to the Android marketplace to smartphones. Of course, even if a vendor cannot link directly to the Android marketplace, there is often an app available which does give such access. For example, most of the Archos tablets can use the Android marketplace if you sideload the gApps4Archos.apk application (google for it). The app was tested and approved by various reputable review sites http://www.engadget.com/2010/10/ [engadget.com]

Re:

[tacarat]

If it's not Linus, then we might assume it's Rerun or Lucy.

Re:

[1000101]

So beware of downloading things from Chinese websites? That's news?

Um, what if you are Chinese?

Re:

[Anonymous Coward]

I've checked, and it turns out I'm not Chinese.

Re:

[Pharmboy]

Um, what if you are Chinese?

Sucks to be you.

Re:

[WindBourne]

Then your gov. already has your money and knows everything about you already.

Re:

[Joce640k]

The summary suggests that the list probably changed while you were writing that...

Re:

[swanzilla]

From TFA (linked above)

There are a number of applications—typically games—we have seen repackaged with the Geinimi Trojan and posted in Chinese app stores, including Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense and Baseball Superstars 2010.

Re:

[RocketRabbit]

Fucking President versus Aliens sounds like the best game ever. Brilliant move on the malware author's part to hide his warez in such a kick ass sounding game. If this was 1988 and I was down at the local arcade, and saw a game called President versus Aliens I would have put all my quarters into it by now.

Re:

[ArcherB]

my name is michael kristopeit.

You killed my father.

Prepare to die.

Re:

[h4rr4r]

No, I am Michael Kristopeit!

Re:

[mark72005]

Much better!!

Re:

[h4rr4r]

This is the only possible explanation.

Re:

[edumacator]

You're funny.

Re:A lot like Windows after all

[MrHanky]

Yeah, except this is not a virus and Android doesn't seem to be very susceptible to viruses.

Re:

[_Sprocket_]

Yeah, except this is not a virus and Android doesn't seem to be very susceptible to viruses.

Keep in mind that there HAS been Linux viruses ("virii" if you really want to annoy some folks) but they have a rather limited life span. The question is why. And does Android do anything to interfere with that? I suspect due to the nature of how Android and Android devices are handled (closer to the Windows environment than Linux), Android is a much more interesting target.

Re:

[MrHanky]

I'm not sure you can give an Android app permission to write to other application files, which a virus would need in order to spread. Then again, most Windows worms a couple of years back seemed to rely on user stupidity, and I don't think Android differs too much in that regard. An app that can read your address book and send SMS can also spam your contacts with "Hello friend, I just doanlowded this new Android game from http://spam-r-us.cn/andoird.apk [spam-r-us.cn] and its great, thank you!" or similar, and at least so

Re:

[owlstead]

Android is not Windows. App stores / package stores are much less susceptible to malware than each application having its own download/install/update mechanism. Beside that, Android apps play in a sandbox, and if you want to break out of that, you will have to inform the user. Of course, if you install apps using unsigned code from an unverifiable location and ignore all the permissions you have to grant...

Re:

[mlts]

My fear is that the other shoe will drop -- to "fix" the problem, each carrier will have its own app store and lock their devices to it.

Why is this bad?

Two reasons. First, developers will have to grease palms in order for their app to be usable by all. Second, carriers will want exclusivity agreements, so Goatse Tower Defense only appears on one cellular carrier, but no other. This will be used as a way to peddle phones, similar to how game titles are used to sell consoles (if you want Halo, you buy an X

Re:

[0123456]

Shame that Android is based on Linux then isn't it?..

Linux can't stop Joe Sixpack from downloading malware from the Internet and installing it on his computer. At least, not without becoming another iThing that only allows installation of Jobs-approved software.

Re:

[KublaiKhan]

You're right, it isn't fair to blame Windows for user-supplied malware.

However, that does not mean Windows is any more secure; not all windows malware is user-supplied.

Re:

[0123456]

And neither can Windows, yet it is always blamed for someone installing malware on their systems

What's the percentage of Windows users who install malware on their system rather than being hit by a remote exploit?

Pretty much every major Windows security story I've read in the last couple of years is due to some hole being exploited either in Windows or commonly used Windows software which lacks the sandboxing that's common on Linux (Apparmor, SELinux, etc), not users downloading trojans.

Re:

[ToasterMonkey]

Pretty much every major Windows security story I've read in the last couple of years is due to some hole being exploited either in Windows or commonly used Windows software which lacks the sandboxing that's common on Linux (Apparmor, SELinux, etc), not users downloading trojans.

Err, so we rip on UAC for a few years then pretend it doesn't exist when it's convenient?

Re:

[Desler]

Oh and many Linux distros do not come with either SELinux installed or even enabled by default so to try to act like that is common or even remotely universal is a lie.

Re:

[_Sprocket_]

What's the percentage of Windows users who install malware on their system rather than being hit by a remote exploit?

I don't know and I certainly doubt you do either. But considering how much anecdotal evidence there is to show that people are in large numbers willingly clicking on malware in emails and installing malware from pops to websites, it's not nearly as small as you try to make it out.

Not exactly a clear answer, but it looks like drive-by attacks are far higher up the threat list than attacks requiring user interaction.

http://news.softpedia.com/news/Drive-By-Download-Attacks-Were-the-Biggest-Online-Threat-Last-Month-170525.shtml [softpedia.com]

Re:

[Desler]

The windows security holes people complain about are generally not "Joe sixpack opened an EXE and clicked OK to the run as admin prompt",

That's funny because there are still constantly stories about people doing exactly that from files in their emails that install worms, trojans, viruses on their computer. Hell, I know someone from a local State Farm branch in Houston that had their entire office infected that way. To claim that this isn't a general case of malware infection is to be completely dishonest.

Re:A lot like Windows after all

[0123456]

Whenever anything bad happens on the android platform related to malware, trojans, etc this distinction is heavily downplayed.

Again, if I download and install malware on one of my Linux boxes, how is this a Linux problem?

Linux protects much better than Windows against remote attacks, it can't protect against stupid users.

Re:

[99BottlesOfBeerInMyF]

Whenever anything bad happens on the android platform related to malware, trojans, etc this distinction is heavily downplayed.

Again, if I download and install malware on one of my Linux boxes, how is this a Linux problem? Linux protects much better than Windows against remote attacks, it can't protect against stupid users.

Sure it can, at least a lot more than it does now. It can sandbox all apps by default, automatically check a malware blacklist and elevate permissions for trojans to ones that are useful to malware only when explicitly told to do so by the user, i.e. he goes in and checks the (allow to send mass e-mails) checkbox for that app.

There is a lot that can be done to more tightly secure Linux distros, applying SELinux style permissions universally is good start. The difference is, for normal home use users don't n

Re:

[4phun]

Again, if I download and install malware on one of my Linux boxes, how is this a Linux problem?

Linux protects much better than Windows against remote attacks, it can't protect against stupid users.

IMHO a strong case could be made that any non geek buying an Android product is by definition a 'stupid user' as there a better user experience out there for the same price that they would have selected if they were smart.

Re:

[abhi_beckert]

Android could protect itself from nearly all stupid users if it's developers wanted that. Simply require all binary code to be cryptographically signed by someone reputable (like google, or verisign, or whoever), and give those who sign the apps the ability to revoke their signatures.

It has been working great for websites ever since SSL came out, and has worked pretty well so far with iOS, why not do the same thing everywhere?

If apps had to be signed, then it would be impossible to re-package a popular and

Re:

[ToasterMonkey]

Again, if I download and install malware on one of my Linux boxes, how is this a Linux problem?

Linux protects much better than Windows against remote attacks, it can't protect against stupid users.

Ok I'll bite, what is 'Linux' doing to protect you from attacks that 'Windows' isn't?

Re:

[Walter White]

Ok I'll bite, what is 'Linux' doing to protect you from attacks that 'Windows' isn't?

For starters, not trying to execute stuff that comes in from questionable routes like USB drives, CD and DVD ROMs, embedded in various files like jpegs, PDFs and so on.

But you knew that because you're clearly not stupid.

Re:

[Desler]

The ... Android Market ... only legitimate places to get software that I know of.

So then what is your excuse for this [bit-tech.net]?

Re:

[_Sprocket_]

So then what is your excuse for this [bit-tech.net]?

Fair point. Although it should be noted, on further digging, I don't think anyone actually uncovered any malicious behavior for these apps. The banks were rightfully concerned as they didn't produce the apps and they couldn't verify that they weren't malicious. Considering the nature of the service involved, it's judicious to assume that they were. But for all we know, they could have been simply charging $.99 to people who didn't know how to set a bookmark.

Re:

[ColdWetDog]

The last time "sophisticated" was attached to the word malware, a certain Middle East country had problems with its uranium-enrichment program. So what are the chances of this being the mobile version of the Stuxnet worm?

About the same as the chances of anyone using an Android phone to concentrate uranium.

Zero.

Re:

[roc97007]

**cough**widgets**cough**flash**cough**sd slot**cough**customizable interface**cough**fanboi**cough

And of course you mean "on a non-rooted iPhone".