Geinimi, Sophisticated New Android Trojan Found in Wild 報告人:劉旭哲
a new Trojan affecting Android devices – Geinimi 'botnet-like' capabilities Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications
Games includes – Monkey Jump 2 – Sex Positions – President vs. Aliens – City Defense and Baseball Superstars Third-party Chinese Android app markets. The original versions available in the official Google Android Market have not been affected.
Geinimi has three different methods of starting itself – First the Trojan will launch it’s own Service – The other two ways Geinimi starts revolve around BroadcastReceivers SMS has been received (SMS_RECEIVED) Phone starts (BOOT_COMPLETE)
Overwritten AndroidManifest.xml
entry points execute the method “startServiceIfMust”, which attempts to connect to the local Geinimi service. – Update and Check-in – Communication with the service happens over a TCP socket on ports 5432, 4501 or Check-in between the server and Trojan is also encrypted.
Every five minutes by default, but can be changed by the server. – GET request – uses HTTP POST requests to send results of commands. uniquely identify the user unique per infected package Geinimi version Location
Geinimi attempts to connect to a remote server using one of 11 embedded domain names. 反向工程解密後 …
Encryption – 56-bit DES – a key of 0x – This is found inside jump2.e.k eg: Monkey Jump 2
Command and Control – 格式:
AdID
Smsrecord – Post stored SMS to a remote server – result : POST jump2.e.i.a(String server, String afterDate, String beforeDate)
install:// and install - Download an APK ; trigger installation
Conclusion 雖然已觀察到 Geinimi 連結並傳送資料 C&C Server 但尚未看到有伺服器傳送指令給 Geinimi 此外,不論是要求使用者安裝或移除應用 程式,皆仍必須經過使用者同意。 目前推斷可能是想要藉由這種方式散播廣 告
?c= ?c= trojan-technical-analysis/ trojan-technical-analysis/ content/uploads/2011/01/Geinimi_Trojan_Te ardown.pdf content/uploads/2011/01/Geinimi_Trojan_Te ardown.pdf