Geinimi¶
The first Android botnet. Discovered by Lookout in December 2010, Geinimi was embedded in repackaged games distributed through Chinese third-party app markets. It introduced C2 communication, remote command execution, and DES-encrypted data exfiltration to the Android malware landscape.
Overview¶
| Property | Value |
|---|---|
| First Seen | December 2010 |
| Type | Botnet / Spyware |
| Attribution | Unknown (Chinese app market distribution) |
| Aliases | Trojan-Spy.AndroidOS.Geinimi (Kaspersky), Android.Geinimi (Symantec), Android/Geinimi (McAfee) |
Distribution¶
Repackaged into legitimate games (Monkey Jump 2, Sex Positions, President vs. Aliens, City Defense, Baseball Superstars 2010) and distributed through third-party Chinese Android app markets.
Capabilities¶
| Capability | Implementation |
|---|---|
| C2 communication | DES-encrypted HTTP communication (key: 0x01-0x08) |
| Device fingerprinting | Harvested IMEI, location, installed apps |
| Remote commands | SMS sending, phone calls, app install/uninstall |
| Code obfuscation | String encryption and code obfuscation to hinder analysis |
Permissions¶
| Permission | Purpose |
|---|---|
| SEND_SMS | Send SMS on command |
| CALL_PHONE | Make phone calls on command |
| READ_PHONE_STATE | IMEI harvesting |
| ACCESS_FINE_LOCATION | Location tracking |
| INTERNET | C2 communication |
Evolution¶
Later variants (Geinimi.B through E) improved encryption and obfuscation. The repackaging distribution technique Geinimi popularized became a standard Android malware distribution method used by DroidDream, DroidKungFu, and many others.