ANDROIDOS_GEINIMI.A


 THREAT SUBTYPE:

Information Stealer, Malicious Downloader, Spying Tool

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Trend Micro has flagged this Android OS backdoor as noteworthy due to the increased potential for damage, propagation, or both, that it possesses.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may arrive bundled with legitimate applications. Analysis of its code reveals that it is capable of doing a number of routines to an infected smart phone where the Android OS is installed. These routines include enumerating installed packages and applications on the phone. It also installs, runs, and downloads other applications.

It also retrieves the infected phone's GPS coordinates. It parses through saved contact information as well as messages in the email and phone inboxes.

It executes commands from a remote malicious user, effectively compromising the affected system.

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

  TECHNICAL DETAILS

Ports:

TCP port 4501 (IANA), TCP port 8791 (Unassigned), TCP port 6543 (lds_distrib), TCP port 5432 (PostgreSQL Database)

File Size:

Varies

File Type:

DEX

Memory Resident:

No

Initial Samples Received Date:

01 Jan 2011

Payload:

Compromises system security, Gathers system properties, Steals information,

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Backdoor Routine

This backdoor opens the following ports:

  • TCP port 4501 (IANA)
  • TCP port 8791 (Unassigned)
  • TCP port 6543 (lds_distrib)
  • TCP port 5432 (PostgreSQL Database)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

  • www.{BLOCKED}fu.com:8080
  • www.{BLOCKED}re.com:8080
  • www.{BLOCKED}jd.com:8080
  • www.{BLOCKED}st.com:8080
  • www.{BLOCKED}sj.com:8080
  • www.{BLOCKED}sl.com:8080
  • www.{BLOCKED}ir.com:8080
  • www.{BLOCKED}oa.com:8080
  • www.{BLOCKED}du.com:8080
  • www.{BLOCKED}cr.com:8080
  • {BLOCKED}.{BLOCKED}.134.185:8080
  • {BLOCKED}.{BLOCKED}.68.34:8080

As of this writing, the said sites are inaccessible.

NOTES:

It executes the following commands from a remote malicious user:

  • Enumerates installed packages and running applications on the phone
  • Starts/Runs an application
  • Downloads other applications
  • Installs/Uninstalls an application
  • Retrieves GPS coordinates of the phone
  • Parses/Reads through saved contact information
  • Parses/Reads through saved messages, such as SMSs sent and email messages in the phone inbox
  • Gathers the following information:
    • Direct inward dialing (DID) number/s
    • GPS location from Google maps
    • International Mobile Subscriber Identity (IMSI) number
    • International Mobile Equipment Identity (IMEI) number
    • Value of autosdkver
    • Value of CPID
    • Value of PTID
    • Value of sdkver
  • Gathers the following system properties:
    • Board
    • Brand
    • Country ISO of network service provider
    • Country ISO of the SIM
    • CPU ABI type
    • Device
    • Display
    • Fingerprint
    • Host
    • ID
    • Line number
    • Manufacturer
    • Name of network service provider
    • Operator name of network service provider
    • Phone model
    • Phone type
    • Product
    • Sales ID
    • Serial number of SIM
    • Software version
    • State of the SIM
    • Subscriber ID
    • Tags
    • Time
    • Type
    • Type of network service
    • User
    • Voice mail number

  SOLUTION

Minimum Scan Engine:

8.900

TMMS Pattern File:

1.101.00

TMMS Pattern Date:

24 May 2011

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Did this description help? Tell us how we did.