Security Experts:

Sophisticated New Android Trojan "Geinimi" Spreading in China

"Geinimi" Android Trojan Spreading in China

According to mobile security firm Lookout, a new sophisticated Trojan has emerged in China that is affecting Android devices. Lookout Mobile, fresh off announcing a $19.5 Million round of funding last week, said that the Trojan, which it is calling “Geinimi,” can compromise a significant amount of personal data on a user’s phone and send it to remote servers.

Internet TV Hacked

In a blog post detailing the discovery, the company says the mobile malware is “The most sophisticated Android malware we’ve seen to date, Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.”

 Featured Report (Free) > 2010 Device Integrity Report: U.S. Unprepared for Internet Device Flood

What makes the Trojan different than most “standard” mobile malware is that Geinimi is being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets.

According to Lookout, this is how it works:

When a host application containing Geinimi is launched on a user’s phone, the Trojan runs in the background and collects significant information that can compromise a user’s privacy. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI). At five minute intervals, Geinimi attempts to connect to a remote server using one of ten embedded domain names. A subset of the domain names includes,,, and If it connects, Geinimi transmits collected device information to the remote server.

Technical Reading - Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Lookout says the Geinimi mobile malware has only been seen being distributed via third-party Chinese app stores and has not seen any apps infected with the Geinimi Trojan in the official Google Android Market. Google's Android mobile OS is rapidly growing with over 300,000 Android devices being activated every day, however, Android's openness has turned the Android Market into a breeding ground for malicious applications capable of stealing sensitive user information from the mobile phones.

After initial analysis, Lookout researchers have evidence that Geinimi so far has the capability to:

Send location coordinates (fine location)

Send device identifiers (IMEI and IMSI)

Download and prompt the user to install an app

Prompt the user to uninstall an app

Enumerate and send a list of installed apps to the server

Earlier this year Lookout Mobile’s App Genome project revealed that 29 percent of free applications available in the Android Market were capable of stealing user location at any given point of time while 8 percent of them can browse through users' contact list.

PCs are no longer the dominant form of computing and threats targeting the smartphone and tablet markets top the list of cyber concerns in 2011 according to several recent reports. Respondents to a 2010 Mobile & Smart Device Security Survey recognize the quickly growing world of connected smart devices  and acknowledge that device security problems are not only inevitable, but serious.

Developer Reading - Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.