Google says it has suspended a number of suspicious applications from the Android Market after researchers at NC State announced they had discovered a new and particularly stealthy piece of spyware, dubbed “Plankton,” lurking in Android applications there.
According to a report by computer science professor Xuxian Jiang, the Plankton spyware represents an evolution in Android malware by attempting to obscure itself using a native class loading capability, rather than trying to gain root access to Android phones. The NC State team claims this sort of exploitation is the first of its kind.
Ten Android apps in the Official Android Market are known to infected, but many more could be victims of the Plankton Trojan. Jiang claims that early variants of the Trojan have evaded detection for as long as two months.
A Google spokesman said the company has already taken action to remove the malicious applications.
“We’re aware of and have suspended a number of suspicious applications from Android Market,” a Google spokesperson told Threatpost. “We remove apps and developer accounts that violate our policies.”
Plankton works like a parasite: latching onto its host applications as a background service which has no affect on that apps intended purpose. When a user runs an infected application on their Android phone, Plankton collects information such as the device ID and list of granted permissions and sends them via HTTP POST message to a remote update server, the NC State researchers found.
That remote server returns a URL pointing to an executable file for the device to download. Once downloaded, the jar file is dynamically loaded. In this way, the payload evades static analysis and is difficult to detect.
Analysis of the payload shows that the virus does not provide root exploits, but supports a number of bot-related commands. One interesting function is that the virus can be used collect information on users’ accounts.
The team discovered the new malware while conducting research on two existing pieces of Android malware, DroidKungFu and YZHCSMS. These and other pieces malware such as DroidDream are indicative of a trend toward targeting Android devices with online attacks.
Google has historically taken a hands-off approach to policing the Android Marketplace. It will suspend and remove suspicious or malicious applications when they’re reported, but does not vet applications prior to posting them, as Apple does with its AppStore. A growing population of Android users and burgeoning Android Marketplace, however, may challenge that approach.
A company spokesman said that the company has security measures in place to insure the integrity of Android applications.
“We are committed to providing a secure Android Market experience
for consumers. Our approach includes clearly defined Android
Market Content policies that developers must adhere to,
plus a multi-layered security model based on user permissions and application
sandboxing. Applications in violation of our policies are removed from Android
Market,” he said in an e-mail message.