Plankton Android Trojan found in 10 apps on Android Market
Posted on 09.06.2011
Ten more applications have been pulled from the Google's official Android Market following a notification that they contained a new kind of Android malware.

The malware was discovered by Xuxian Jiang, an assistant professor at the NC State University, and his team. As we have already witnessed before, the malicious code is "grafted" onto legitimate applications, and once the app is installed, it works as a background service whose goals is to gather information and transmit it to a remote server.

The server takes the information in consideration and returns a URL from which the malware downloads a .jar file that, once loaded, exploits Dalvik class loading capability to stay hidden by evading static analysis.

According to them, Plankton - as they named the malware - and the payloads it downloads do not provide root exploits. "Instead, they only support a number of basic bot-related commands that can be remotely invoked," they say.

Among those commands are those that collect browser history, bookmark and log information, those that allow the installation and deinstallation of shortcuts, and more.

"During our investigation, we also identified an interesting function that if invoked can be used to collect user's accounts," they say. "Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality."


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st