Adware/Geyser!Android

Analysis

Adware/Geyser!Android is a potentially unwanted application for Android mobile devices whose current version leaks your geographic location.

Technical Details

Appsgeyser is a toolkit which helps Android application developers create their applications, distribute them and monetize, in a single step.
The problem lies in the fact that, to monetize, the kit sends to its advertisement servers the end-user's geographic location (longitude and latitude) in clear text.
For example, in a sample packaged as com.wYoungsterZZ4Android (the Android version of a youth portal), the main activity, named MainNavigationActivity, sends the following URL:

http://CENSOREDser.com/?widgetid=
  &guid=
  &v=
  &hid=
  &tlat=
  &tlon=

where:

• APPID is the application identifier, which is read of the "id" field in the raw resource configuration.xml file. For example: 284728
• GUID is a randomly generated UUID.
• VERSION is a version number read from the package's AndroidManifest:

  <manifest android:versionCode="1349872181" 
               android:versionName="0.84.13498.72181" 
               android:installLocation="preferExternal" 
               package="com.wYoungsterZZ4Android"
  

• IMEI is the phone's IMEI. Note that as a GUID is generated, it would be highly preferrable to use only the GUID, as the IMEI is considered as private information.
• LATITUDE and LONGITUDE are the end-user's current latitude and longitude

As soon as the application is installed, the adware also sends a HTTP notification to its servers. The packet is sent to the server mentioned in configuration.xml in the registeredUrl link tag:

<webWidget>
        <widgetName>YoungsterZZ 4 Android</widgetName>
        <registeredUrl>
                <link>http://[CENSORED]ser.com/statistics.php</link>
        </registeredUrl>  

The rest of the URL contains the following information:

?action=install&name=&id=&system=android

The adware also uses Cloud to Device Messaging, although it is not clear at the time of writing this description exactly what information is communicated through that channel.
The adware contains the following files:

META-INF/MANIFEST.MF
META-INF/DESKTOPI.SF
META-INF/DESKTOPI.RSA
assets/error.html
assets/run_custom_script.js
res/drawable/about_appsgeyser_logo.png
res/drawable/about_background.xml
res/drawable/active_tab_background.xml
res/drawable/add_item.png
res/drawable/add_item_active.png
res/drawable/button_style.xml
res/drawable/contents_background.xml
res/drawable/cross_item.png
res/drawable/deactive_tab_background.xml
res/drawable/ic_menu_add.png
res/drawable/ic_menu_favorite.png
res/drawable/ic_menu_refresh.png
res/drawable/icon.png
res/drawable/pin_icon.png
res/drawable/reload_item.png
res/drawable/star.png
res/drawable/star_active.png
res/layout/about_dialog.xml
res/layout/bottom_banner.xml
res/layout/connection_error_dialog.xml
res/layout/history_autocomplete_layout.xml
res/layout/http_authentication.xml
res/layout/main.xml
res/layout/message_viewer.xml
res/layout/navigation_bar.xml
res/layout/no_content_message.xml
res/layout/startup_screen.xml
res/layout/tab_tag.xml
res/layout/tabs_panel.xml
res/layout/user_agent_dialog.xml
res/layout/video_loading_progress.xml
res/layout/web_content.xml
res/menu/customapp_menu.xml
res/menu/webapp_menu.xml
res/raw/configuration.xml
res/raw/falsepositives.txt
res/raw/flashplayer_not_exist.html
res/raw/index.html
res/raw/insuffient_sdk_version.html
res/raw/reportabuse.txt
AndroidManifest.xml
resources.arsc
classes.dex

Permissions required by the adware:

• INTERNET

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.