Geinimi - Give me your rice... NOW!

android
, , , , , , , , ,

So lately I’ve had the pleasure of reversing the latest Android threat, Geinimi, and boy - it sure is something else!

I don’t want to go too much into depth for it here as it’s already been torn apart and posted on my works blog. Our latest release has all the technical details outlined and a full teardown in pdf form.

Something I will post here is a nerfed script from Jaime Blasco, a newly found friend of mine who works for AlienVault. He posted a nifty nmap script for detecting Geinimi infected devices. His original script can be found on his blog post, though I’m done some minor improvements to it;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
description = [[
Detect if Geinimi trojan is present
]]

---
-- @output
-- PORT   STATE SERVICE
-- 5432/tcp open  postgresql
-- |_geinimi: Geinimi trojan present
-- 8791/tcp open
-- |_geinimi: Geinimi CMD plugin found and accepting commands

description = "Scan for Geinimi Trojan"

author = "(Original) - Jaime Blasco [email protected] (Updates) - Tim Strazzere [email protected]"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"discovery", "safe"}

require "comm"
require "shortport"
local stdnse = require "stdnse"

portrule = shortport.portnumber({5432, 4501, 6543, 8791}, {"tcp"})

action = function(host, port)
       local try = nmap.new_try()
       if (port.number == 8791) then
          local response = try(comm.exchange(host, port, "hi,xiaolu", {lines=100, proto=port.protocol, timeout=5000}))
          if (response:find "hi,liqian") then
             local response = try(comm.exchange(host, port, "CMD id", {lines=100, proto=port.protocol, timeout=5000}))
             if (response:find "command ok") then
                try(comm.exchange(host, port, "bye", {lines=100, proto=port.protocol, timeout=5000}))
                return "Geinimi CMD plugin found and accepting commands"
             else
                return "Geinimi CMD plugin found, but not accepting commands"
             end
          end
       else
          local response = try(comm.exchange(host, port, "hi,are you online?", {lines=100, proto=port.protocol, timeout=5000}))
          if (response:find "yes,I'm online!") then
             return "Geinimi trojan present"
          end
       end
end

Essentially I’ve added the three extra ports that the main Geinimi service will bind too. The main port is still 5432, though it can attempt to connect on the other two ports. The other thing I’ve added was a check to the presumed command plugin that a Geinimi device may also have, which is bound on port 8791.

Hopefully everyone enjoys the teardown and maybe this script would be useful for anyone who is interested in auditing their network of multiple Android devices.