My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Trojan.Android.Geinimi.A

VERY LOW
HIGH
>500KB
(Trojan-Spy.AndroidOS.Geinimi.a, AndroidOS_GEINIMI.A, Android/Geinimi)

Symptoms

    Presence of a running service called "AndroidIME" started by one of the following processes:

  • com.dseffects.MonkeyJump2
  • com.swampy.sexpos
  • com.computertimeco.android.alienspresident

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Vlad Constantin ILIE, virus researcher

Technical Description:

    Geinimi is one of the first trojan families for the Android platform. It can be found hidden in various popular and legitimate android games and applications.  So far, the first version of this family has been seen bundled in apps like:

  • Monkey Jump 2 (com.dseffects.MonkeyJump2)
  • Sex Positions Social (com.swampy.sexpos)
  • Aliens vs. President (com.computertimeco.android.alienspresident)

    Malware authors seem to have taken these applications, added their code and redistribute them over third party android markets and file sharing sites. There have been no sign of geinimi infected apps in the official google android market.

    One of the user visible difference between the original and infected version of an application, which can   be seen before installing the app is the list of required permissions. Among these, the most important and dangerous are:

  • android.permission.READ_SMS
  • android.permission.SEND_SMS
  • android.permission.RECEIVE_SMS
  • android.permission.WRITE_SMS

these permissions allows the geinimi trojan full access to user's SMS thus the trojan can read existing sms,  send new ones, be notified when a new sms is received.

  • android.permission.CALL_PHONE

this permission allows the trojan to initiate a phone call without requiring any input from the user

  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.ACCESS_COARSE_LOCATION

these permissions allows the trojan to have access to cell ID, or even more accurate, GPS position of the user's mobile

  • android.permission.RESTART_PACKAGES

this permission (currently deprecated) allowed the trojan to kill all background processes related to a given package name

    The trojan is composed out of three components:

  • an activity, android:name="[g_pkg].c.rufCuAtj"
  • a service, android:name="[g_pkg].c.AndroidIME"
  • a broadcast receiver, android:name="[g_pkg].f"

[g_pkg] is a string composed out of the original app package name and a substring of  it's last component:
    ex. com.dseffects.MonkeyJump2 -> com.dseffects.MonkeyJump2.jump2

    The activity is started when the user clicks the infected app's icon. This activity is responsible also for starting the service component and the original app's activity.
    The broadcast receiver is started when a new sms message is received.

    As a payload, geinimi sends private information (IMEI, IMSI, location etc.) to a remote server. From the server it listens for various commands like: send/read sms, send contacts details, initiate calls, install/uninstall apps, open urls.