Presence of a running service called "AndroidIME" started by one of the following processes:
Please let BitDefender disinfect your files.
Geinimi is one of the first trojan families for the Android platform. It can be found hidden in various popular and legitimate android games and applications. So far, the first version of this family has been seen bundled in apps like:
Malware authors seem to have taken these applications, added their code and redistribute them over third party android markets and file sharing sites. There have been no sign of geinimi infected apps in the official google android market.
One of the user visible difference between the original and infected version of an application, which can be seen before installing the app is the list of required permissions. Among these, the most important and dangerous are:
these permissions allows the geinimi trojan full access to user's SMS thus the trojan can read existing sms, send new ones, be notified when a new sms is received.
this permission allows the trojan to initiate a phone call without requiring any input from the user
these permissions allows the trojan to have access to cell ID, or even more accurate, GPS position of the user's mobile
this permission (currently deprecated) allowed the trojan to kill all background processes related to a given package name
The trojan is composed out of three components:
[g_pkg] is a string composed out of the original app package name and a substring of it's last component:
ex. com.dseffects.MonkeyJump2 -> com.dseffects.MonkeyJump2.jump2
The activity is started when the user clicks the infected app's icon. This activity is responsible also for starting the service component and the original app's activity.
The broadcast receiver is started when a new sms message is received.
As a payload, geinimi sends private information (IMEI, IMSI, location etc.) to a remote server. From the server it listens for various commands like: send/read sms, send contacts details, initiate calls, install/uninstall apps, open urls.