Plankton – Android Malware found on the official Market

Posted by & filed under , .

A security researcher (Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University) found another spyware into the official Android Market.

Here you can find all the details of his research. This is what he wrote about Plankton:

How it works

Plankton is included in host apps by adding a background service. (The removal of this background service does not affect in any way the functionality of the host app.) This background service is started in the modified onCreate() method of the main activity inside the app. In other words, when the infected app runs, it will bring up the background service. The background service will collect information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server (through an HTTP POST message) —

On the server side, possibly based on the collected information (especially the list of granted permissions), the server will return back a URL for it to download. The URL points to a jar file with executable code (i.e., Dalvik bytecode). The jar file is essentially a payload, which once downloaded, will be dynamically loaded (through the standard DexClassLoader). Doing so will allow the payload to evade static analysis and make it hard to detect. After loading, the init() method of a hardcoded payload class is invoked (through the reflection API in Android). Note that such design reflects an earlier RootStrap prototype developed by Jon Oberheide.


Analyzing the payloads

We have managed to play with Plankton and successfully downloaded a payload with two different versions: plankton_v0.0.3.jar and plankton_v0.0.4.jar. Our analysis shows that these payloads do not provide root exploits. Instead, they only support a number of basic bot-related commands that can be remotely invoked. The list of commands supported in version 0.0.4 is shown in the figure below. Basically, the /bookmarks command collects the bookmark information on the phone; /shortcuts allows for the installation or removal of home screen shortcuts; /history steals browser history information; and /dumplog essentially executes the logcat command to collect runtime log information etc.

During our investigation, we also identified an interesting function that if invoked can be used to collect user’s accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user’s accounts or even launching root exploits into reality.


The Plankton code appears in a number of applications that were all focused on the popular game series Angry Birds. Some of the samples we looked at came as Android apps with names like Angry Birds Rio Unlocker v1.0, Angry Birds Multi User v1.00 or Angry Birds Cheater Trainer Helper V2.0.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>