Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

New Android malware could produce Chinese botnet, harvest personal data


Security experts are warning that newly discovered malware targeting Chinese users of Google's Android mobile operating system has "botnet-like capabilities" that could take control of an Android phone by communicating with a central command-and-control server.

The malware, which has been dubbed "Geinimi," is apparently being "grafted" onto repackaged legitimate Android apps and then posted on Chinese app stores, PC World reports.

San Francisco, Calif.-based security research firm Lookout discovered the malware after a concerned user posted to a forum. In its writeup of the Trojan, Lookup called it "the most sophisticated Android malware we've seen to date" and the first malware to display botnet-like capabilities in the wild. Once installed on a user's phone, the malicious software is able to "receive commands from a remote server that allow the owner of that server to control the phone."

Though Lookout admits that the purpose of the Trojan isn't clear, "the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet," wrote the company.

During its analysis, Lookout detected Geinimi sending location coordinates device identifiers, downloading and prompting the user to install an app, prompting the user to uninstall an app, and enumerating and sending a list of installed apps to the control server. However, app installations and uninstallations still need to be confirmed by the user.

"Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities," the post continued. "In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyze the malware."

No instances of the Geinimi Trojan have been seen in the official Google Android Market, as all affected apps have been discovered on third-party app stores in China.

Mobile security

As the sales of smartphones and other mobile devices have increased, security threats to mobile applications have increased as well. Earlier this month, security vendor AdaptiveMobile reported that mobile malware infections had grown 33 percent year-over-year. Google's Android platform saw the greatest rise, 400 percent, in targeted exploits, though Android's infection rate remained low compared to older platforms. Reported exploits aimed at the iPhone declined year over year.

In July, a study of over 300,000 free applications by Lookout revealed that applications for both iPhone and Android were regularly accessing the user's contact data. The study found that 14 percent of the surveyed applications from Apple's App Store, while 8 percent of tested applications on Android could view the contact list.

During the study, Lookout discovered that free wallpaper applications on Google's Android Market were collecting private user data and forwarding it to servers in China. Lookout asserted that there was "no proof of malicious intent," but cautioned that the apps had sent sensitive data, including "a device’s phone number, subscriber identifier, and currently programmed voicemail number" to the server.

Apple's approach of curating the App Store, though derided by some as "closed," has thus far proved successful at preventing iOS devices from having a live virus problem. The iPhone maker employs a strict vetting process for iOS apps before approving them for the App Store.

Google's Android Market app security, on the other hand, simply warns the user that an app needs permissions during installation.

iOS apps run in a discrete 'sandbox' environment that prevents them from infecting the system. And apps must be signed by a certificate from Apple, preventing the kind of third-party repackaging confusion that the Geinimi Trojan is currently exploiting in the Chinese market.

Privacy rights

After a report published by The Wall Street Journal earlier this month revealed that Android and iOS applications were sending unique device identifiers, location data, and even "age, gender or other personal details" to outside sources, one iPhone user sued Apple on behalf of all iPhone users over alleged violations of federal privacy laws. The lawsuit calls attention to the issue of user privacy rights, as advertisers have sought to glean increasing amounts of valuable information on users and their usage patterns.

Though Apple allows users to opt out of location sharing on its iAd network, it appears that Apple hasn't fully enforced rules meant to protect user privacy.

In October, a security report found that 68 percent of the App Store's top iPhone apps transmit unencrypted unique device identifiers, which can be easily linked to personal information.

Earlier this year, Apple CEO Steve Jobs called out one mobile analytics firm after learning that the firm was collecting device data in violation of Apple's privacy policy. The firm had used the data to reveal that Apple was testing a tablet device on its campus ahead of Apple's official reveal of the iPad. According to Jobs, Apple's employees went "through the roof" when they learned that device information was being collected without its knowledge.

The firm quickly responded that it would comply with the respective changes to the iPhone OS terms of service.

Apple was also the subject of a U.S. Congressional inquiry after an inaccurate and sensational LA Times report suggested that changes to the iOS privacy policy would result in Apple tracking iPhone users' locations. Apple promptly responded to the concerns in a letter.

"Apple does not share any interest-based or location-based information about individual customers, including the zip code calculated by the iAd server, with advertisers," the letter read. "Apple retains a record of each ad sent to a particular device in a separate iAd database, accessible only by Apple, to ensure that customers do not receive overly repetitive and/or duplicative ads for administrative purposes."