May 17, 2020

Geinimi: New Android Data Stealing Trojan

Geinimi, a new Android data stealing Trojan affecting Android cell phones in China.

According to Lookout blog reports, this Trojan can compromise a significant amount of personal data on a user’s phne and send it to remote servers. Geinimi is also the first Android malware in the wild that displays botnet-like capabilities. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone.

“Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. The affected applications request extensive permissions over and above the set that is requested by their legitimate original versions. Though the intent of this Trojan isn’t entirely clear, the possibilities for intent range from a malicious ad-network to an attempt to create an Android botnet.”, stated in the report.

In addition to the personal data such as address book, the Trojan can also read out the cell phone’s position data, device ID (IMEI), SIM card number (IMSI), and a list of the installed apps.

More information is available here.


Android Browser Data Stealing Vulnerability

Information security expert Thomas Cannon has discovered a security vulnerability in the Android browser. This vulnerubility can be exploited by attackers to access to the the local files when a smartphone user visits a crafted web page.

Cannon has explined about the vulnerability in his blog and here is its highlights:

  • The Android browser doesn’t prompt the user when downloading a file, for example "payload.html", it automatically downloads to /sdcard/download/payload.html
  • It is possible, using JavaScript, to get this payload to automatically open, causing the browser to render the local file.
  • When opening an HTML file within this local context, the Android browser will run JavaScript without prompting the user.
  • While in this local context, the JavaScript is able to read the contents of files (and other data).

One limiting factor of this exploit is that you have to know the name and path of the file you want to steal. However, a number of applications store data with consistent names on the SD card, and pictures taken on the camera are stored with a consistent naming convention too. It is also not a root exploit, meaning it runs within the Android sandbox and cannot grab all files on the system, only those on the SD card and a limited number of others.

The vulnerability appears to affect all versions of Android, including the current version 2.2. The Android security team has been informed about this vulnerability on November 20, 2010 with reference to Cannon’s blog.