Geinimi – Give me your rice… NOW!

So lately I’ve had the pleasure of reversing the latest Android threat, Geinimi, and boy – it sure is something else!

I don’t want to go too much into depth for it here as it’s already been torn apart and posted on my works blog. Our latest release has all the technical details outlined and a full teardown in pdf form.

Something I will post here is a nerfed script from Jaime Blasco, a newly found friend of mine who works for AlienVault. He posted a nifty nmap script for detecting Geinimi infected devices. His original script can be found on his blog post, though I’m done some minor improvements to it;

Essentially I’ve added the three extra ports that the main Geinimi service will bind too. The main port is still 5432, though it can attempt to connect on the other two ports. The other thing I’ve added was a check to the presumed command plugin that a Geinimi device may also have, which is bound on port 8791.

Hopefully everyone enjoys the teardown and maybe this script would be useful for anyone who is interested in auditing their network of multiple Android devices.

Your Name Email Website