Android/Geinimi.B!tr
Analysis
Android/Geinimi.B!tr is a variant of Android/Geinimi.A!tr.
The differences are mainly technical.
Technical Details
This variant obfuscates several of its strings and commands by DES encryption. The key has changed and no longer is 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 but
0x00 0x01 0x02 0x07 0x08 0x00 0x08 0x04
Additionally, Android/Geinimi.B!tr now consists in two Android applications:
- the APK of the malware. This component handles communication via sockets. It also launches the other APK.
- t.jar: another APK
/system/bin/dalvikvm -cp /data/t.jar BMain& > /system/etc/init.d/51gfanThis second APK contains the remaining malicious aspects.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |