Android/Geinimi.A!tr

Analysis

Android/Geimini.A!tr is a Trojan for Android devices. It affects mobile phones running Android 1.5 and over, and which are configured to authorize installation of applications hosted from "Unknown sources". It has not been detected on the Android Market. .
The malware is known to infect some legitimate Android games such as Monkey Jump 2, Sex Positions, President vs. Aliens and Baseball Superstars 2010. Only some packages of those games are trojaned and carry the malware.
Once installed on the phone, the malware starts connecting to remote Internet web servers (at the victim's expense). In particular, it posts to those servers the victim's IMEI, IMSI and geographic location.
It also shows the capability of:

• sending emails and SMS messages
• listing processes running on the phone
• creating a bookmark
• calling a phone number
• display notification popups (toasts) on the phone
• adding new application shortcut icons
• displaying a google map of the current location
• performing a web search

Technical Details

The malware appears to be targeting Chinese end-users:

• the Google map of the victim's current location is displayed using the Chinese language
• several user messages ("Clear All", "Select All") are written in Chinese

The malware contacts the following URLs on port 8080 (those web servers do not respond any longer):

• hxxp://180.168.68.34:8080/android/getAdXml.do
• xxx.widifu.com:8080
• xxx.udaore.com:8080
• xxx.frijd.com:8080
• xxx.islpast.com:8080
• xxx.piajesj.com:8080
• xxx.qoewsl.com:8080
• xxx.weolir.com:8080
• xxx.uisoa.com:8080
• xxx.riusdu.com:8080
• xxx.aiucr.com:8080
• xxx.135.134.185:8080

It appends to the URL several parameters such as:

• cpid
• ptid
• imei
• imsi
• salesid
• did
• sdkver
• autosdkver

It also opens two local sockets on the phone. One is on port 8791 (see malicious class e/q.class), and the other is either on 5432, 4501 or 6543 (h.class). Communication on those sockets use a basic protocol to check both server and client sockets are up. For instance, they exchange messages such as "hi, xiaolu" or "hi liqian".
The malware obfuscates some of its data (located in e/p.class) by encrypting hard-coded data with the DES algorithm. The key is hard-coded (located in e/k.class) and its value is:

0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08

The decrypted data reveals the URLs mentioned above and several other strings such as:

bookmark://
toast://
suggestsms
skiptime
changefrequency
applist
updatehost
...

Internally, the malware stores its parameters in a HashMap. Each item is a tag/value pair. For example, a pair may contain "email_title" (tag) and the subject of the email (value).
The following tags are used:

sms_to_phone
smsc_content
contact_operation
contact_name
contact_phone_number
email_title
to_address
cc_address
bcc_address
email_content
map_x
map_y
open_url
local_file_path
ACTIVITY_PARAM_URL_KEY
package_name
class_name
para_values
...

It also includes a state machine with statuses:

START
IDLE
DOWNLOAD
PARSE
TRANSACT

The ultimate malicious goal of the malware is yet unknown. It might be related to stealing privacy related information, or displaying focused ads. Note that the trojaned applications use well known advertising and statistics SDKs which are not considered as malicious - although they may result in Internet communications.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.