Security Alert: New Stealthy Android Spyware -- Plankton -- Found in Official Android Market

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

How it works





On the server side, possibly based on the collected information (especially the list of granted permissions), the server will return back a URL for it to download. The URL points to a jar file with executable code (i.e., Dalvik bytecode). The jar file is essentially a payload, which once downloaded, will be dynamically loaded (through the standard DexClassLoader). Doing so will allow the payload to evade static analysis and make it hard to detect. After loading, the init() method of a hardcoded payload class is invoked (through the reflection API in Android). Note that such design reflects an earlier RootStrap prototype developed by Jon Oberheide.

Analyzing the payloads

We have managed to play with Plankton and successfully downloaded a payload with two different versions: plankton_v0.0.3.jar and plankton_v0.0.4.jar. Our analysis shows that these payloads do not provide root exploits. Instead, they only support a number of basic bot-related commands that can be remotely invoked. The list of commands supported in version 0.0.4 is shown in the figure below. Basically, the /bookmarks command collects the bookmark information on the phone; /shortcuts allows for the installation or removal of home screen shortcuts; /history steals browser history information; and /dumplog essentially executes the logcat command to collect runtime log information etc.

During our investigation, we also identified an interesting function that if invoked can be used to collect user's accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user's accounts or even launching root exploits into reality.



Follow-ups:

6/9/2011: This article goes public. We have been busy in contacting or being contacted from leading mobile anti-virus companies and research labs, including Lookout, Symantec, McAfee, CA, SmrtGuard, Juniper, Kinetoo, Google, Fortinet, Dr.Web, AVG Mobilation, ...

6/5/2011: We notified Google about the 10 offending apps in the Official Android Market. On the same day, these apps are suspended pending investigation.

Last modified: June 9th, 2011