Android.Geinimi Branching Out to Japanese Applications

In some recent blog postings by Irfan Asrar, we discussed how a number of legitimate Android applications have been “Trojanized” in order to include “backdoor” functionality and are then published on unregulated Android marketplaces. In the past, we have seen a number of English and Chinese language Android applications being Trojanized and placed on unregulated Android marketplaces. Up until now, however, we have not seen any Japanese language Android applications being manipulated in this manner. This is no longer the case, since we have found a Trojanized Japanese language Android application on an unregulated Android marketplace. Symantec detects this malicious Android application as Android.Geinimi. The following image is the start picture of the application:

The legitimate version of the application is sold at 525 yen (approx. $6 US) on the proper regulated Android marketplace. It allows you to do "push-up", "sit-up", and "squat" exercises with an anime character. The legitimate and Trojanized versions of the Android application may appear identical, but the “Trojanized” version has Android.Geinimi running in the background and is transmitting information from the device to a remote location. The access permissions required during installation also differ. The following images show the access permissions required by the Trojanized version of the application during installation:

Whereas the proper access permissions required by the legitimate Android application (according to the regulated Android marketplace) are shown in the following image:

The presence of Trojanized versions of legitimate Android applications on unregulated Android marketplaces is a growing problem. Increasing demand for content, along with the absence of official marketplace outlets in certain regions, is fueling the growth of unregulated marketplaces. In turn, these marketplaces are becoming the perfect incubator and propagation engine for threats such as Android.Geinimi. To avoid becoming a victim of such Trojanized Android applications, Symantec recommends that you only use regulated Android marketplaces for downloading and installing Android applications. Also, in the Android OS application settings there is an option to stop the installation of non-market applications, which can help to prevent against this type of attack. Checking user comments on the marketplace can also assist in determining if the application is safe. Lastly, during the installation of any Android applications, always check the access permissions being requested for installation. If they seem excessive for what the application is designed to do, it would be wise to stop installing the application.