A week or so ago we warned everyone about the Geinimi trojan that's been spotted in the wilds of the Orient. The threat level itself hasn't increased (as far as we know) if you aren't poking around Chinese Android fansites and downloading slightly questionable programs, so there's no need to ring the alarm and circle the wagons just yet. Lookout has torn down the trojan itself and gives a great overview of what it does, and how it does it. This isn't a primer to teach yourself trojan writing, it's standard practice among security firms to show how things are done and help find ways to prevent it in the future. First, here's exactly what this trojan can do:
- Read and collect SMS messages
- Send and delete selected SMS messages
- Pull all contact information and send it to a remote server (number, name, the time they were last contacted)
- Place a phone call
- Silently download files
- Launch a web browser with a specific URL
Yikes. Remember, this is so far a pretty isolated incident, and this isn't in any apps you can get from the Android Market. In fact, so far it looks like it's confined to "warez" files, so it mirrors what you find on the internet when downloading questionable files for your computer. Our advice -- stick to applications from someone you trust, and if you have a need to download random applications (we have to do it here all the time to check them out) find a method to scan them for malicious code.
Lookout breaks the code itself down, if your a developer or just curious be sure to have a look. It's pretty sophisticated and a shame that the developer(s) don't put their effort into something a bit more productive. Check the source link for all the details, including a .pdf file with a complete code breakdown. [Lookout] Thanks Cerena!