ANDROIDOS_GEINIMI.A

Trend Micro has flagged this Android OS backdoor as noteworthy due to the increased potential for damage, propagation, or both, that it possesses.

To get a one-glance comprehensive view of the behavior of this Backdoor, refer to the Threat Diagram shown below.

This backdoor may arrive bundled with legitimate applications. Analysis of its code reveals that it is capable of doing a number of routines to an infected smart phone where the Android OS is installed. These routines include enumerating installed packages and applications on the phone. It also installs, runs, and downloads other applications.

It also retrieves the infected phone's GPS coordinates. It parses through saved contact information as well as messages in the email and phone inboxes.

It executes commands from a remote malicious user, effectively compromising the affected system.

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Arrival Details

This backdoor may be unknowingly downloaded by a user while visiting malicious websites.

Backdoor Routine

This backdoor opens the following ports:

• TCP port 4501 (IANA)
• TCP port 8791 (Unassigned)
• TCP port 6543 (lds_distrib)
• TCP port 5432 (PostgreSQL Database)

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• www.{BLOCKED}fu.com:8080
• www.{BLOCKED}re.com:8080
• www.{BLOCKED}jd.com:8080
• www.{BLOCKED}st.com:8080
• www.{BLOCKED}sj.com:8080
• www.{BLOCKED}sl.com:8080
• www.{BLOCKED}ir.com:8080
• www.{BLOCKED}oa.com:8080
• www.{BLOCKED}du.com:8080
• www.{BLOCKED}cr.com:8080
• {BLOCKED}.{BLOCKED}.134.185:8080
• {BLOCKED}.{BLOCKED}.68.34:8080

As of this writing, the said sites are inaccessible.

NOTES:

It executes the following commands from a remote malicious user:

• Enumerates installed packages and running applications on the phone
• Starts/Runs an application
• Downloads other applications
• Installs/Uninstalls an application
• Retrieves GPS coordinates of the phone
• Parses/Reads through saved contact information
• Parses/Reads through saved messages, such as SMSs sent and email messages in the phone inbox
• Gathers the following information:
  • Direct inward dialing (DID) number/s
  • GPS location from Google maps
  • International Mobile Subscriber Identity (IMSI) number
  • International Mobile Equipment Identity (IMEI) number
  • Value of autosdkver
  • Value of CPID
  • Value of PTID
  • Value of sdkver
• Gathers the following system properties:
  • Board
  • Brand
  • Country ISO of network service provider
  • Country ISO of the SIM
  • CPU ABI type
  • Device
  • Display
  • Fingerprint
  • Host
  • ID
  • Line number
  • Manufacturer
  • Name of network service provider
  • Operator name of network service provider
  • Phone model
  • Phone type
  • Product
  • Sales ID
  • Serial number of SIM
  • Software version
  • State of the SIM
  • Subscriber ID
  • Tags
  • Time
  • Type
  • Type of network service
  • User
  • Voice mail number