1 / 15

Geinimi , Sophisticated New Android Trojan Found in Wild

Geinimi , Sophisticated New Android Trojan Found in Wild. 報告人:劉旭哲. a new Trojan affecting Android devices Geinimi 'botnet-like' capabilities Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications. Games includes Monkey Jump 2 Sex Positions

lula
Download Presentation

Geinimi , Sophisticated New Android Trojan Found in Wild

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Geinimi, Sophisticated New Android Trojan Found in Wild 報告人:劉旭哲

  2. a new Trojan affecting Android devices • Geinimi • 'botnet-like' capabilities • Geinimi is effectively being “grafted” onto repackaged versions of legitimate applications

  3. Games includes • Monkey Jump 2 • Sex Positions • President vs. Aliens • City Defense and Baseball Superstars 2010. • Third-party Chinese Android app markets. • The original versions available in the official Google Android Market have not been affected.

  4. Geinimi has three different methods of starting itself • First the Trojan will launch it’s own Service • The other two ways Geinimi starts revolve around BroadcastReceivers • SMS has been received (SMS_RECEIVED) • Phone starts (BOOT_COMPLETE)

  5. Overwritten AndroidManifest.xml

  6. entry points execute the method “startServiceIfMust”, which attempts to connect to the local Geinimi service. • Update and Check-in • Communication with the service happens over a TCP socket on ports 5432, 4501 or 6543. • Check-in between the server and Trojan is also encrypted.

  7. Every five minutes by default, but can be changed by the server. • GET request • uses HTTP POST requests to send results of commands. Geinimi version uniquely identify the user Location unique per infected package

  8. Geinimi attempts to connect to a remote server using one of 11 embedded domain names. 反向工程解密後…

  9. Encryption • 56-bit DES • a key of 0x0102030405060708. • This is found inside jump2.e.k • eg: Monkey Jump 2

  10. Command and Control • 格式:

  11. AdID

  12. Smsrecord • Post stored SMS to a remote server • result:POST jump2.e.i.a(String server, String afterDate, String beforeDate)

  13. install:// and install - Download an APK ; trigger installation

  14. Conclusion • 雖然已觀察到Geinimi連結並傳送資料C&C Server但尚未看到有伺服器傳送指令給Geinimi • 此外,不論是要求使用者安裝或移除應用程式,皆仍必須經過使用者同意。 • 目前推斷可能是想要藉由這種方式散播廣告

  15. http://www.ithome.com.tw/itadm/article.php?c=65279 • http://blog.mylookout.com/2011/01/geinimi-trojan-technical-analysis/ • http://cdn.androidcommunity.com/wp-content/uploads/2011/01/Geinimi_Trojan_Teardown.pdf

More Related