Home / malware Trojan:AndroidOS/Plankton.gen!A
First posted on 26 July 2012.
Source: MicrosoftAliases :
Trojan:AndroidOS/Plankton.gen!A is also known as HEUR:Trojan.AndroidOS.Plangton.a (Kaspersky), Adware.Startapp.origin (Dr.Web), Android/Plankton.H trojan (ESET), Andr/NewyearL-B (Sophos).
Explanation :
Trojan:AndroidOS/Plankton.gen!A is a trojan that affects mobile devices running the Android operating system. It may arrive as part of repackaged Android apps and downloaded from third-party Android app markets. It changes the device's settings, and steals information stored in the device.
Installation
Once installed, it runs in the background as the service "Apperhand". In the wild, we have seen it use the file name "iPhone_Lock_Screen_v1.7_Pro.apk", as well as the names of other repackaged applications.
Payload
Runs commands
Trojan:AndroidOS/Plankton.gen!A can run the following commands:
- /activate - responds to requests for activation
- /homepage - sets homepage of the device's browser
- /commandstatus - receives status if a failure/exception or success is returned from the malware routines
- /bookmarks - gets and sets bookmarks
- /shortcuts - gets and sets application shortcuts
- /notifications - gets and sets the content of the notification/response
- /terminate - terminates the service
- /info - processes succession of commands
- /unexpectedexception - returns an error
- /optout - validates responses and parameters returned from the above commands
Connects to servers
Trojan:AndroidOS/Plankton.gen!A sends HTTP POST requests in the background to the server "www.apperhand.com" containing data stolen from the device. The data includes, but may not be limited to:
- First Time Activation
- Application ID
- Application Details
- Brand
- Build number
- Developer ID
- Device
- Display metrics
- IMEI
- Locale
- Protocol version
- Release version
- SDK version
- Source IP
- User Agent
- User ID
It also contacts "www.searchmobileonline.com" to send information related to search engine queries.
Analysis by Marianne Mallen
Last update 26 July 2012
