With the projected growth of smart phone sales set to overtake sales of regular featured phones, it’s no surprise to see the emergence of new application market places, app stores, and download sites as demand for content is also expected to grow dramatically; sales in 2011 alone are expected to bring in $15 billion dollars. Many telecommunication players are entering the app market arena, converging from their regular business of manufacturing the device, providing the traditional voice service, or just because they feel they can fulfill something that was missing to complete the consumer experience. Taking advantage of the growing demand for content, not to mention the absence of official outlets presences in certain regions, the number of unregulated markets has seen a dramatic rise, providing a perfect incubator and propagation engine for threats such as Android.Geinimi.
How did Geinimi Spread? Summary of Part I
From a security analyst’s perspective, the mobile content distribution ecosystem can be broken down roughly into three groups. Group I, the traditional file download site and user forum file share sites. These services have been around as long as the Internet. Primarily starting out with catering to content hungry users looking for software for Windows and Mac users and then adding on download sections for handheld devices as the popularity of PDA and phones with mobile Web browsers grew. They may or may not provide file hosting mirrors of the software. User feedback on apps is usually either inconclusive or very basic. On one of these sites, I was able to find a download link to a live threat, right next to an RSS feed of a blog I had written a while ago talking about the threat. Security measures to screen software tends to be limited to using off the shelf antivirus software (in most cases I have seen, the software used is not antivirus software for a mobile device but Windows-based software).
Group II “Vendor certified/Web 2.0 Markets”
With convergence of PDAs and mobile phones, the adoption of mobile devices into the enterprise framework - not to mention the advent of malicious code abusing easy to use API (intentionally designed to improve developer adoption rates) for monetary gains - brought into focus questions on issues such as security, integrity, confidentiality, and data loss prevention. Manufacturers and vendors responded by introducing concepts such as on device signature verification, a single point of distribution, and platform app certification, which sanitized code by extensive and rigorous testing to ensure that software meets not only the manufactures design and platform standards, but also looked into additional concerns, such as privacy, ethical, moral standards, and so on. Certainly by no means is any screening system foolproof and the occasional threat slipped through (once, twice, and even a third time) becoming the focus of many security analyst’s blogs.
The third group (or evolution) tends to be the most interesting from this analyst’s perspective. What can be best described at times as a loose coupling of independent pockets of cloud hosted file repositories brought together via a storefront app (usually only accessible via a mobile device) these fly by night operations seem to be using the same play book used by radio pirates operating off the coast of England in the 70s. Their operations tend to be limited in their broadcast until they are discovered and/or have to move for one reason or another, at which point the user is required to update the repository list or download a newer version of the app with the location of the file server or repositories.
In regions such as China however, we have noticed these service providers tend to be a little bolder and operate with what can be best described as entrepreneurial flair. In addition to having the usual mobile storefront app, they have also have a strong visible Web presence and they use that visibility and the absences of an official market place to encourage local authors to submit original content; using ad revenue sharing as the monetary incentive, ironically in some cases using the same ad revenue services as managed and/or owned by official marketplaces thus blurring the line even more between legitimate sites dealing with pirated content uploaded by rouge users and an illegal site trying to go legitimate after growing a user base off the back of pirated content sharing.
With projected sales of around $15 billion in 2011, the number of app stores in China will continue to grow at a dramatic rate. As the primary screening mechanisms for content is usually user feedback, pirated or malicious content isn’t immediately flagged and site administrators are quick to point out this fact and disclaim any warranty on damages arising from the usage of downloaded software. From a malicious author’s perspective, these sites tend to be the easiest to target, as the users who patronage these sites have turned off device security checks to allow the installation of unsigned software, also called side loading.
China (followed closely second by Eastern Europe) has long been plagued with threats and Trojanized apps targeting mobile platforms. Threats that silently call or send out SMS messages to premium numbers have become so prevalent that the Chinese government had to take extra measures and setup regulations to crack down on not only the creators but also on unscrupulous handset resellers who were intentionally selling phones preloaded with malware that carried out charge backs. The smaller the charge back, the longer it would take before a user suspects anything is wrong, especially in the case of first time buyers who aren’t used to normal monthly charges for their phone bills.
The creators of Android.Geinimi have a clear understanding of the dynamics of the unregulated market ecosystem. With over 20 app titles that have been reported to contain the Trojan payload, it is unclear if the wide spread availability of the threats was as result of the malicious authors at work or the result of the economics of the unregulated markets at work; in either case the difficulty to determine the answer ensures that the author’s tracks are well covered. Even taken into account was the possibility that a user may find themselves with multiple apps with the Trojanized code and specialized routines were added to maximize effectiveness of the threat to prevent multiple instances of the malicious service all attempting to duplicate work.
Visual summary of Android.Geinimi. Not all of the 20 commands implemented in Geinimi were done with the intention to be remotely executed. Code analysis has revealed that some of the commands were designed to be operated via direct contact with an infected device.
While conducting our investigations into Geinimi and unregulated markets, an additional file came to our attention. The title of the app is “MJ2 New Levels” (a reference to one of the Trojanized versions of Geinimi and also carried the icon from that game). Even though the code breakdown of this sample did not reveal anything spectacular – in fact unlike the other samples this did not contain an app that was Trojanized – it appeared to take advantage of the Davlik sandbox model to hide its tracks. While running it uninstalled itself (user prompted action) before proceeding to uninstall Monkey Jump 2. Although at first glance this isn’t a security flaw in itself, the fact that the Davlik file system/sandbox model allows a running program to remove itself from a device and still carry out actions in the same instance (as its still running in the sandbox), does pose a challenge for post forensic investigations as after an incident there are no files left over to examine. Even though we cannot find a direct link to this new sample and Geinimi at this moment in time, this just makes us wonder what other threats are out there in unregulated markets waiting to come to light.