Threat Encyclopedia

Android/Geinimi.B!tr

description-logoAnalysis

Android/Geinimi.B!tr is a variant of Android/Geinimi.A!tr.
The differences are mainly technical.


Technical Details


This variant obfuscates several of its strings and commands by DES encryption. The key has changed and no longer is 0x01 0x02 0x03 0x04 0x05 0x06 0x07 0x08 but
0x00 0x01 0x02 0x07 0x08 0x00 0x08 0x04

Additionally, Android/Geinimi.B!tr now consists in two Android applications:
  1. the APK of the malware. This component handles communication via sockets. It also launches the other APK.
  2. t.jar: another APK
Note the malware does not actually install the second APK, but launches it via the following command:
/system/bin/dalvikvm -cp /data/t.jar BMain& > /system/etc/init.d/51gfan
This second APK contains the remaining malicious aspects.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.