Saturday, January 8, 2011

Geinimi Trojan Technical Teardown


Geinimi is a Trojan affecting Android devices that has come to Lookout’s attention as emerging through third-party application sources (markets and app-sharing forums), primarily in China. Geinimi is noteworthy as it represents a reasonable jump in capabilities and sophistication over existing Android malware observed to date. The word Geinimi (Ghay-knee-mÄ“) is derived from the name of the first repackaged application it was discovered in. Geinimi is Mandarin Chinese for “give you rice”, essentially slang for “give you money”. The Trojan was originally injected using the package “com.geinimi” but as it spread, subsequent variants took on an obfuscated
package scheme.

In this document, we outline how the Trojan starts, what obfuscation is employed, how the command and control system works, and what commands we are able to observe in action. To simplify the discussion, we will focus primarily on an infected sample of a game called “Monkey Jump 2”:

File: MonkeyJump2.apk
Md5: e0106a0f1e687834ad3c91e599ace1be
Sha1: 179e1c69ceaf2a98fdca1817a3f3f1fa28236b13
Geinimi SDK: 10.7



Geinimi is certainly not the first piece of mobile malware to exhibit many of its traits. It does, however, represent a significant jump in sophistication and capabilities from its
predecessors on the Android platform. It represents the first piece of Android malware
to employ a bytecode obfuscator and internal encryption to obfuscate its purpose. It is
the first case of Android malware grafted onto a legitimate application and, though the
most sophisticated Spyware applications have come close, Geinimi is accepting the
broadest array of commands from a server under the control of an unknown party that
we have seen to date.

There has been much speculation as to the intent of Geinimi. It could be nothing more than a Trojan advertising platform with overbearing promotional hooks by our standards. At the extreme, the array of capabilities under 3rd party control could amount to an attempt to build a botnet. These are widely different assessments thatrely on knowing the intent of Geinimi’s authors, a perspective that we don’t have available to analyze. What is clear, however, is that Geinimi is something that nobody in their right mind wants installed on their mobile device.

No comments:

Post a Comment