It wasn’t too long ago that I blogged about Symantec’s discovery of the first threat with botnet-like traits for mobile devices and here we are starting the new year with the discovery of another threat in the wild that has been described as having strong botnet traits. Threats detected as Android.Geinimi are pirated versions of legitimate games that have been modified to include a back door Trojan. At first glance, the distribution/propagation vector used by this threat is very similar to the one used by Trojan.Terred, a legitimate application that has been repackaged into a new bundle with malicious content and is spread through file sharing (the threat itself does not have the ability to replicate on its own).
The permissions required by the legitimate version available on the Android Market.
Looking at the security permissions requested by the Trojanized app begs the question does any game with flying monkeys need this level of access?
Initial reports indicated that these games were only available in third party app market sites in China, but Symantec has discovered that samples of the threat have found their way into North American and European hosted download sites as well in BitTorrent hosted collections of pirated games. Based on our analysis there are strong indications that this threat originated in China (localization settings, location of the servers the threat attempts to contact, and so forth) and the intended targets were users in that region, but at the same time the games that were repacked to include the Trojan are as popular in other regions as they are in Asia. Therefore it’s no surprise that the games can also be found on other file sharing sites.
A detailed analysis of this threat serves more as a testament to the ease of developing sophisticated code on a platform with good framework support than it does to establish any ground breaking threat vectors. With the ability to process over 20 commands, hardcoded destinations to 11 sites (which were encrypted using DES), and the use of obfuscation techniques (the closest thing to using packers on the Android platform) to hide/scramble the code in order to make it difficult to reverse engineer, not to mention thwart signature based detections, this does hint of an evolution in the Android threat landscape.
Only by changing the default setting will an Android Device allow you to carry out “side loading” (installing apps from unknown sources)
The writers of this threat have applied a template approach across the different games and apps that the threat was incorporated into. The malicious code has been repackaged as an additional class, which is installed as a service by the modified application in the final Trojanized release. The key point to note is the final package name used is the same as the legitimate version of the app, thus none of the Trojanized versions would ever have found a way into the Android Market. This is because they would have been rejected it immediately on any attempts for submission due to conflicting package names leading to complications with issues such as update notifications or more importantly issues with remote file revoke.
While the user sees the game on their device, the Trojan is running as a service in the background:
<service android:name="com.dseffects.MonkeyJump2.jump2.c.AndroidIME"android:permission="android.permission.INTERNET"> </service>
The case could be made that the authors were counting on underground file sharing and unregulated markets to incubate a user base for them. Primarily due to the fact that in regions where there isn’t an Android Market presence, it is highly probable that users have turned off security checks present in the Android OS to install apps from unknown sources. Other than a hint of manipulation to the underlying ad platform packaged into the game, there are no immediate financial motives visible. While there are no indications of activity by the creators of the threat to reach out to compromised devices - at this time this threat is more of a back door than a bot - Symantec Security Response is keeping an eye out for any changes. The added twist is that even though this app would have been rejected by the Android Market, the possibility exists that the ad platform used in the game could have still generated revenue from the circulation of the Trojanized app for the original author as the same ad account ID was reused.
Since the Trojanized package name is the same as the legitimate game (<activity android:label="@7F050000"android:name=".MonkeyJump2" amdorid:screenOrientation="1">), the malicious package is displayed on the device in exactly the same way as the legitimate game.
The elephant at the back of the room here is unregulated market places and file download sites that facilitate the replication of pirated software and also drive the propagation of non-replicating threats such as these. Again, this is a very old propagation vector that predates the concept of peer-to-peer or file sharing on the Internet, and in fact whose roots can be traced back to bulletin board services (BBS).
In part II of this blog I will conclude analysis of Android.Geinimi and discuss the inherent risks associated with unregulated market places.
Special thanks to Lookout for the sample they provided to us.