Android phoneGoogle says it has suspended a number of suspicious applications from the Android Market after researchers at NC State announced they had discovered a new and particularly stealthy piece of spyware, dubbed “Plankton,” lurking in Android applications there. 

According to a report by computer science professor Xuxian Jiang,  the Plankton spyware represents an evolution in Android malware by attempting to obscure itself using a native class loading capability, rather than trying to gain root access to Android phones. The NC State team claims this sort of exploitation is the first of its kind.

Ten Android apps in the Official Android Market are known to infected, but many more could be victims of the Plankton Trojan. Jiang claims that early variants of the Trojan have evaded detection for as long as two months.

A Google spokesman said the company has already taken action to remove the malicious applications.

“We’re aware of and have suspended a number of suspicious applications from Android Market,” a Google spokesperson told Threatpost. “We remove apps and developer accounts that violate our policies.”

Plankton works like a parasite: latching onto its host applications as a background service which has no affect on that apps intended purpose. When a user runs an infected application on their Android phone, Plankton collects information such as the device ID and list of granted permissions and sends them via HTTP POST message to a remote update server, the NC State researchers found.

That remote server returns a URL pointing to an executable file for the device to download. Once downloaded, the jar file is dynamically loaded. In this way, the payload evades static analysis and is difficult to detect.

Analysis of the payload shows that the virus does not provide root exploits, but supports a number of bot-related commands. One interesting function is that the virus can be used collect information on users’ accounts.

The team discovered the new malware while conducting research on two existing pieces of Android malware, DroidKungFu and YZHCSMS. These and other pieces malware such as DroidDream are indicative of a trend toward targeting Android devices with online attacks.

Google has historically taken a hands-off approach to policing the Android Marketplace. It will suspend and remove suspicious or malicious applications when they’re reported, but does not vet applications prior to posting them, as Apple does with its AppStore. A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.

A company spokesman said that the company has security measures in place to insure the integrity of Android applications.

“We are committed to providing a secure Android Market experience
for consumers. Our approach includes clearly defined Android
Market Content policies
that developers must adhere to,
plus a multi-layered security model based on user permissions and application
sandboxing. Applications in violation of our policies are removed from Android
Market,” he said in an e-mail message.

Categories: Data Breaches, Malware, Social Engineering, Vulnerabilities

Comments (9)

  1. jmb98115
    1

    I wish that announcements like this would come with a list of the known offending apps and publishers.

  2. Anonymous
    2

    So, how about a list of infected applications?  Why would you post an article about trojaned apps and not include this information?  This is bad journalism folks.

  3. Anonymous
    3

    The list of infected apps includes:

    Floating Image Free
    System Monitor
    Super StopWatch and Timer
    System Info Manager
    Call End Vibrate
    Quick Photo Grid
    Delete Contacts
    Quick Uninstaller
    Contact Master
    Brightness Settings
    Volume Manager
    Super Photo Enhance
    Super Color Flashlight
    Paint Master
    Quick Cleaner
    Super App Manager
    Quick SMS Backup
    Tetris
    Bubble Buster Free
    Quick History Eraser
    Super Compass and Leveler
    Go FallDown !
    Solitaire Free
    Scientific Calculator
    TenDrip

  4. jdw242b
    7

    it doesn’t help to post the app names without the publisher names too. I know two in the list that are in the Martket under two different creators.

  5. rRamjet
    8

    It certainly looks like the this is the begining of the end of a free and open marketplace.

    I work in the Mobile Device Managment space and this questions keeps coming up time and time again.  How do we protect our corporate networks from these apps.  I am sure there are similar infections in iOS its just that no one has found them yet.  

    http://mscmobility.com.au/msc-mobility-news/

Comments are closed.