Stealthy Plankton Malware Found in Official Android Market

http://photos.hitb.org/v/hitb2011ams-conf-d1d2/IMG_8090.jpg.html

While continuing an Android-related research project after the discovery of the DroidKungFu and YZHCSMS malware, my research team also came across a new stealthy Android spyware in the Official Android Market. This spyware does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar. In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality. Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers. Its stealthy design also explains why some earlier variants have been there for more than 2 months without being detected by current mobile anti-virus software.

How it works

Plankton is included in host apps by adding a background service. (The removal of this background service does not affect in any way the functionality of the host app.) This background service is started in the modified onCreate() method of the main activity inside the app. In other words, when the infected app runs, it will bring up the background service. The background service will collect information, including the device ID as well as the list of granted permissions to the infected app, and send them back to a remote server (through an HTTP POST message) -- http://www.xxxxxx.com/ProtocolGW/installation.

On the server side, possibly based on the collected information (especially the list of granted permissions), the server will return back a URL for it to download. The URL points to a jar file with executable code (i.e., Dalvik bytecode). The jar file is essentially a payload, which once downloaded, will be dynamically loaded (through the standard DexClassLoader). Doing so will allow the payload to evade static analysis and make it hard to detect. After loading, the init() method of a hardcoded payload class is invoked (through the reflection API in Android). Note that such design reflects an earlier RootStrap prototype developed by Jon Oberheide.