The malware was discovered by Xuxian Jiang, an assistant professor at the NC State University, and his team. As we have already witnessed before, the malicious code is "grafted" onto legitimate applications, and once the app is installed, it works as a background service whose goals is to gather information and transmit it to a remote server.
The server takes the information in consideration and returns a URL from which the malware downloads a .jar file that, once loaded, exploits Dalvik class loading capability to stay hidden by evading static analysis.
According to them, Plankton - as they named the malware - and the payloads it downloads do not provide root exploits. "Instead, they only support a number of basic bot-related commands that can be remotely invoked," they say.
Among those commands are those that collect browser history, bookmark and log information, those that allow the installation and deinstallation of shortcuts, and more.
"During our investigation, we also identified an interesting function that if invoked can be used to collect user's accounts," they say. "Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality."
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.