New Android malware emerges in China

Just a few days after McAfee released its 2011 Threat Predictions Report, citing mobile as an up-and-coming target, San Francisco-based Lookout Mobile Security reported on a new malware variant targeting Android-based smartphones, appearing in China.

Lookout, which develops antivirus software for Android devices, calls the new malware “Geinimi." Geinimi is being “grafted” onto repackaged versions of legitimate Android applications (mostly games). The malware-laden apps are then distributed via third-party Chinese Android app markets.

That said, it would appear that those sticking to the standard Android Market would be safe. It does point out the dangers of sideloading, which is installing apps that are not hosting in Google's official Android Market.

Lookout notes the following:

[...] this Trojan can compromise a significant amount of personal data on a user’s phone and send it to remote servers. The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. [...]

Lookout has already delivered an update for its Android users to protect them against known instances of the Trojan. If you are already a Lookout user (free or premium), you are protected and no action is needed.

Although most users would probably be happy with Lookout's free app, the premium service (subscription: $2.99 monthly) adds wipe capabilities and the ability to scan apps for privacy issues.

Geinimi runs in the background once a malware-laden app is run. It collects user information, as note below, that is then sent back to a remote server using one of ten embedded domain names. The malware transmits collected device information to the remote server once it connects.

Among the capabilities of Geinimi, Lookout said, are:

• Send location coordinates (fine location)
• Send device identifiers (IMEI and IMSI)
• Download and prompt the user to install an app
• Prompt the user to uninstall an app
• Enumerate and send a list of installed apps to the server

Although Lookout, and other antivirus programs in the Android Market, can protect against this malware, a user can also be protected by only installing apps from trusted sources. If possible, don't sideload anything. Additionally, though admittedly a tedious process, checking the permissions that an app requests can help, as if an app asks for permissions that makes no sense for its described purpose, it can be a red flag. Use common sense to ensure that the permissions an app requests match the features the app provides.

This isn't the first Android malware discovered. In August, Kaspersky Labs reported that a virus named TrojaN-SMS.Android OS.FakePlayer-A had surfaced, in the form of a fake media player. The infected app would send SMS messages to expensive phone numbers, passing money from a user’s account to that of the malware writers. The virus reportedly only infected devices in Russia.

As mobile devices take on more and more of a role in the lives of consumers, it was only a matter of time until malware targeting devices would appear. It may be a long, long year for security experts.