Android/Geinimi.A!tr
Analysis
Android/Geimini.A!tr is a Trojan for Android devices. It affects mobile phones running Android 1.5 and over, and which are configured to authorize installation of applications hosted from "Unknown sources". It has not been detected on the Android Market.
.
The malware is known to infect some legitimate Android games such as Monkey Jump 2, Sex Positions, President vs. Aliens and Baseball Superstars 2010. Only some packages of those games are trojaned and carry the malware.
Once installed on the phone, the malware starts connecting to remote Internet web servers (at the victim's expense). In particular, it posts to those servers the victim's IMEI, IMSI and geographic location.
It also shows the capability of:
- sending emails and SMS messages
- listing processes running on the phone
- creating a bookmark
- calling a phone number
- display notification popups (toasts) on the phone
- adding new application shortcut icons
- displaying a google map of the current location
- performing a web search
Technical Details
The malware appears to be targeting Chinese end-users:
- the Google map of the victim's current location is displayed using the Chinese language
- several user messages ("Clear All", "Select All") are written in Chinese
- hxxp://180.168.68.34:8080/android/getAdXml.do
- xxx.widifu.com:8080
- xxx.udaore.com:8080
- xxx.frijd.com:8080
- xxx.islpast.com:8080
- xxx.piajesj.com:8080
- xxx.qoewsl.com:8080
- xxx.weolir.com:8080
- xxx.uisoa.com:8080
- xxx.riusdu.com:8080
- xxx.aiucr.com:8080
- xxx.135.134.185:8080
It appends to the URL several parameters such as:
- cpid
- ptid
- imei
- imsi
- salesid
- did
- sdkver
- autosdkver
The malware obfuscates some of its data (located in e/p.class) by encrypting hard-coded data with the DES algorithm. The key is hard-coded (located in e/k.class) and its value is:
0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08The decrypted data reveals the URLs mentioned above and several other strings such as:
bookmark:// toast:// suggestsms skiptime changefrequency applist updatehost ...
Internally, the malware stores its parameters in a HashMap. Each item is a tag/value pair. For example, a pair may contain "email_title" (tag) and the subject of the email (value).
The following tags are used:
sms_to_phone smsc_content contact_operation contact_name contact_phone_number email_title to_address cc_address bcc_address email_content map_x map_y open_url local_file_path ACTIVITY_PARAM_URL_KEY package_name class_name para_values ...
It also includes a state machine with statuses:
START IDLE DOWNLOAD PARSE TRANSACT
The ultimate malicious goal of the malware is yet unknown. It might be related to stealing privacy related information, or displaying focused ads. Note that the trojaned applications use well known advertising and statistics SDKs which are not considered as malicious - although they may result in Internet communications.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |