The Lookout Mobile Security company is reporting a new trojan horse program that runs on Android based phones. The novel thing about this trojan is that it has enough functionality to allow the criminals to assemble an Android based botnet. This really should come as no surprise. The Android is not a phone with web browsing capabilities, it is a computer with telephony capabilities. The Android security model, while quite cool, is about as effective as the failed macro protection model in Microsoft Office 1997. For users who knew what the macro protection dialog meant, it was a fairly effective security measure, but most users simply clicked “yes” to allow macros to run. With the Android based phones the user is told what resources the application will have access to, but few users actually care or understand the implications.
Allegedly Google has the ability to remove applications. A researcher published a non-malicious proof of concept app that Google removed, however I am not certain if Google can remove non-app store applications. In the case of the Geinimi trojan, so far it has only been seen on third party app sites in China. Given the low bar set to get apps onto the Android Market Store, expect to see this or similar trojans from time to time in Android Market applications.
The Geinimi trojan is reported to be able to receive commands from remote servers and download further software. While the software and be downloaded, the user is still prompted to install it. It probably won’t take very much to trick a naïve user into thinking the download is a valid update.
Under Application settings on the Android there is an option to allow the installation of non-market applications. AT&T does not allow non-market apps, however most providers do. While it doesn’t take much to get on the Android market, non-market applications will probably be more likely to be dangerous. That said, Android Market applications already often compromise privacy, although probably no more so than Apple Store iPhone apps do.
Director of Technical Education
Cyber Threat Analysis Center – ESET LLC
Author ESET Research, ESET