A data-stealing Trojan affecting Android devices has emerged in China.
The Geinimi Trojan sends location co-ordinates, unique device identifiers, and a list of installed apps on the infected device to a remote server. Additionally, it can independently download applications and prompts the user to install them, mobile security company Lookout said on Wednesday.
"Geinimi’s author(s) have raised the sophistication bar significantly over and above previously observed Android malware by employing techniques to obfuscate its activities," Lookout said in a blog post on Wednesday. "In addition to using an off-the-shelf bytecode obfuscator, significant chunks of command-and-control data are encrypted. While the techniques were easily identified and failed to thwart analysis, they did substantially increase the level of effort required to analyse the malware."
When an application containing the Trojan is launched on an Android device, the Trojan will run in the background and collect data. At five minute intervals the Trojan will attempt to connect to a remote server using one of 10 domain names and, if it establishes a connection, transmits data to the server.
The Trojan has "botnet-like" capabilities, according to Lookout, as it can respond to remote requests, but Lookout is yet to find evidence of a control server sending commands back to Trojans on individual devices.
The Trojan is distributed inside applications, primarily games, that are redistributed on third-party Chinese Android app markets. Games that have been repackaged to contain the Trojan include Monkey Jump 2, City Defence and Sex Positions.
Lookout has not seen any applications containing the Geinimi Trojan in the official Google Android Market.
Lookout advises Android users to only download applications from trusted sources and to check the permissions made by applications on app requests.
In September a variant of the Zeus banking Trojan, which is used to gather banking information, was found actively running on phones on the Symbian operating system.