Riskware/Secretmimi!Android

description-logoAnalysis

Riskware/Secretmimi!Android is a riskware that targets Android mobile devices. The application's goal is to have end-users share secrets. However, the application is potentially unwanted because it leaks in clear text

  • Personal information like birthday and gender
  • All secrets: all secrets end-user share are sent in clear text over the network and hence publicly readable to anybody with access to the network


Technical Details


The malware comes packaged as secret.app. The main activity is secret.app.instruction.InstructionActivity.
At first, the application requires login or sign up to the service. User registration posts to hxxp://apprequest.secretmimi.com a JSON object containing:
  • birthday: birth year in Unix epoch time
  • gender flag
  • device_id: this string being with "IMEI_" followed by the MD5 hash of the IMEI
  • login: chosen username
  • andro_id: "IMEI_" followed by the MD5 hash of the Android ID
  • avatar: identifier for the avatar to be used to represent the end-user
  • serial: "IMEI_" followed by the MD5 hash of the property ro.serialno
When logging in, another JSON object is posted to the remote server with latitude, longitude, province and city.
Whenever an end-user shares a "secret" with the community, the "secret" is encoded using Base 64 and posted to the remote server. The HTTP request contains a JSON object with the following (in clear text):
  • content: body of the secret, base64 encoded
  • title: title of the secret, base64 encoded
  • longitude, latitude: GPS coordinates of the end-user if supplied
It uses external SDKs, such as:
  • Apache Commons
  • Baidu
  • Google Analytics
  • Google Play Services
  • Google GSON Library
  • Google ProtoBuf
  • Google Tag Manager
  • Apache HTTP
  • Android Support v4
  • Tencent
  • Umeng
Those SDKs may be undesirable for various reasons such as privacy leaks, network traffic etc.
The riskware asks for the following permissions:
  • Allows an app to access location from location sources such as GPS, cell towers, and Wi-Fi.
  • CHANGE_WIFI_STATE
  • ACCESS_WIFI_STATE
  • READ_LOGS
  • INTERNET
  • VIBRATE

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.