| « Fraudulent Apps back from the dead |
Google Android Market is infected from new Plankton (Apperhand) variant
More than a Million infected from new Plankton(Apperhand) variant on Google android market
Over the last few weeks, Appriva Threat intelligence lab has seen a new variant of Trojan.Android.Plankton emerge embedded in various apps on the Google Android Market. This variant calls ‘itself’apperhand.
At the time of writing blog, the following apps are being detected by Appriva and one other Antivirus vendor. From the Google Android market it is estimated that more than a million users could be infected.
| App | Author |
| Baloon Game | Ogre Games |
| Deal or BE Millionaire | Ogre Games |
| Counter Strike Ground Force | Iapps7 inc |
| Sexy Ladies 1 | redmicapps |
| Sexy Ladies 2 | redmicapps |
| Sexy Ladies 3 | redmicapps |
| Sexy Ladies 4 | redmicapps |
Normal">Just like the original Plankton malware this one too is included in seemingly legitimate apps by adding a background service. When the app is run it sends the users Device-ID, Manufacturer, Model, source IP, Browser User-agent and Display Matrix to a remote server using a HTTP POST message (www.xxxxxx.com/ProtocolGW/protocol/commands). It also can accept multiple commands from the remote server. We will view the different commands it can get from the server in a little while. The background service in this version is called “Android SDK Provider” (previous versions had Android MDK Provider). This version like the last version can collect User information, read and modify bookmarks, create shortcuts on device home screen and modify the Homepage.
Like the previous version it creates a shortcut on the device home screen that sends a query to http://www.s*****mobileonline.com
Fig 2: Hello Exchange between Malware and server
User Permissions
Here is some of the information the app has access to based on the permissions it requests. It goes well and beyond what is required to make a game app and advertising associated with it.
| Coarse (network-based) location Fine (GPS) location |
| Full Internet Access |
| Personal Information Read & Modify Browser's history and bookmarks |
| Automatically Start at Boot |
Table 1: Information available to malware based on permissions requested
Inside the Malware
The list of commands supported by the versions of the malware we downloaded shown the snippet below.
| BOOKMARKS | Collects Bookmark information |
| SHORTCUTS | Adds home screen shortcuts |
| HOMEPAGE | Modifies the Homepage |
| NOTIFICATIONS | Displays notification on the users phone |
| COMMANDS_STATUS | Get the status of a command |
Table 2: Some of the commands of this malware
Fig 3: Malware Commands
The HOMEPAGE command is new in this version. This version actually has fewer commands than the previous version (HISTORY & UPDATE). This is probably to lessen the likelihood of being detected. However while analyzing the code we did find out that the code infrastructure for these commands is present and these commands can be incorporated at a future point.
Fig 4: Malware collecting Device information
Author: Haroon Malik and Summaira Zafar
4 comments
Wow..its really amazing .......i didnt use it yet but it look like very secure.:D 
Quite good and informative article. 
It does not matter one jot whether the behaviour is malicious or not. Trojan is as Trojan does. This piece of *** is not relevant to the application being installed, it is not announced and it is not wanted and its purpose is to do perform unwanted operations. It is, by definition a trojan. End of.Now just let me break the fingers of the little *** that coded it and the equally odious *** that wanted to distribute it.
This isn't new. The Trojan concerned was first seen in June 2011. Andthe claim that only Appriva and one other supplier detect it is simply not true.
It is detected under various names by at least half a dozen suppliers.
=-=-=-=
Admin's Note: We are referring to Android platform here, right?
This post has 3 feedbacks awaiting moderation...
Comment feed for this post