Security Alert: New Stealthy Android Spyware -- Plankton -- Found in Official Android Market

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University
While continuing an Android-related research project after the discovery of the DroidKungFu and YZHCSMS malware, my research team also came across a new stealthy Android spyware in the Official Android Market. This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar. In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality. Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers. Its stealthy design also explains why some earlier variants have been there for more than 2 months without being detected by current mobile anti-virus software.

How it works

Plankton is included in host apps by adding a background service. (The removal of this background service does not affect in any way the functionality of the host app.) This background service is started in the modified onCreate() method of the main activity inside the app. In other words, when the infected app runs, it will bring up the background service. The background service will collect information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server (through an HTTP POST message) -- http://www.xxxxxx.com/ProtocolGW/installation.


On the server side, possibly based on the collected information (especially the list of granted permissions), the server will return back a URL for it to download. The URL points to a jar file with executable code (i.e., Dalvik bytecode). The jar file is essentially a payload, which once downloaded, will be dynamically loaded (through the standard DexClassLoader). Doing so will allow the payload to evade static analysis and make it hard to detect. After loading, the init() method of a hardcoded payload class is invoked (through the reflection API in Android). Note that such design reflects an earlier RootStrap prototype developed by Jon Oberheide.

Analyzing the payloads

We have managed to play with Plankton and successfully downloaded a payload with two different versions: plankton_v0.0.3.jar and plankton_v0.0.4.jar. Our analysis shows that these payloads do not provide root exploits. Instead, they only support a number of basic bot-related commands that can be remotely invoked. The list of commands supported in version 0.0.4 is shown in the figure below. Basically, the /bookmarks command collects the bookmark information on the phone; /shortcuts allows for the installation or removal of home screen shortcuts; /history steals browser history information; and /dumplog essentially executes the logcat command to collect runtime log information etc.

During our investigation, we also identified an interesting function that if invoked can be used to collect user's accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality.

Follow-ups:

Last modified: June 9th, 2011