More Bad News: Two New Pieces Of Android Malware – Plankton and YZHCSMS

06.09.2011 |

It's spooky out there. Xuxian Jiang's team has ID'd two new pieces of Android malware - that's three in the past week alone.

Researchers at NC State have identified two new pieces of Android malware, called Plankton and YZHCSMS. Plankton is extremely stealthy, steals user information and was found in 10 applications on Google’s official Android Market –which have been downloaded more than 210,000 times. YZHCSMS incurs hidden charges on users’ phone bills, and was found in both the official Android Market and in third-party app stores.

The research team, led by NC State’s Xuxian Jiang, discovered the Plankton and YZHCSMS malware shortly after uncovering the DroidKungFu malware late last week. We’ll tackle the two pieces of malware separately.

PLANKTON:

Plankton is exceptionally stealthy, even by malware standards. It piggybacks onto a host app and, once installed, collects your device ID and the permissions you’ve granted the host app (i.e., the data you’ve allowed that app to access). Plankton then sends that information to a remote server.

This is where things get interesting. The remote server pushes a dynamic payload onto the smartphone. Once loaded, the program is executed, taking advantage of the host app’s permissions to access information on the phone, including: bookmarks, browsing history and the runtime log (which lets them see what’s going on in the phone itself).

More alarming, Plankton shows potential as a delivery mechanism for more nefarious malware – such as “root exploits” that could be used to take over your smartphone completely. However, at this point, researchers have only observed Plankton being used to harvest user data.

For those of you who are tech-minded, Jiang says: “Plankton is the first malware that we are aware of that exploits Dalvik class loading capability to dynamically extend malware functionality while staying stealthy or making existing static analysis less effective.” Jiang’s technical overview of Plankton is available here.

Plankton has been identified in at least 10 free apps, from three different developers, all of which were available on Google’s Android Market. At press time, Jiang had notified Google and they had suspended the apps pending an internal investigation. However, some of these apps had been in the Android Market for over two months and were downloaded hundreds of thousands of times. One app alone had been downloaded well over 100,000 times.

Here is the list of developers and apps associated with Plankton – Applications from developer Crazy Apps include: Shake To Fake (Fake call); Angry Birds Rio Unlock; Angry Birds Cheater; Angry Birds  Multi User!; Favorite Games Backup; Call Ender; Bring Me Back My Droid!; and Chit Chat. Other apps affected include Guess the Logo (from a developer by the same name) and Snake Kaka, from developer PHILL DIG.

Because the Plankton malware is so stealthy, and was found in a trustworthy app market, there’s not a lot you can do to defend yourself from it. [Note: Dark Reading reports that Lookout Security thinks Plankton may be aggressive spyware, rather than malware - but is still studying the code.]

YZHCSMS:

Like Plankton, YZHCSMS sneaks into your phone on an infected app. Otherwise, YZHCSMS is a completely different animal. Once it is on your phone, it retrieves a target phone number (generally a relatively expensive “premium” number) from a remote server, and then sends it a text (or SMS) message – incurring a charge on your phone. It repeats this process – retrieving a target number and sending it a message – every 50 minutes. Wouldn’t you notice this, when you got your first bill? Not necessarily. The YZHCSMS malware tries to cover its tracks by removing any evidence of these text messages, as well as billing messages received from the service provider. Jiang’s technical overview of YZHCSMS is available here.

Jiang’s team has found that YZHCSMS has been in the official Android Market for at least three months, and has also found this malware in alternative Chinese app markets and forums.

Note: Jiang’s team identified DroidKungFu earlier this month, and has worked with a number of mobile anti-virus software companies to detect or block the malware. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread).

Tags:


8 Responses to “More Bad News: Two New Pieces Of Android Malware – Plankton and YZHCSMS”

  1. [...] NC STATE professors have found TWO new cases of Malware (3 this week). PLEASE READ THIS ARTICLE & SPREAD THE WORD. The Community should know and care about these things. Privacy/Security are [...]

  2. s15274n says:

    Thank you NC STATE and your amazing professors. I am actively following you guys and truly appreciate your work.

  3. s15274n says:

    Also… can we have a list of the APPS? The titles and the “DEVELOPERS,” using that term lightly?

  4. djluis48 says:

    Wow…this really sucks….how do I know if I have those? :(

  5. Matt Shipman says:

    Just got clearance to include the list of relevant apps and developers. It’s been incorporated into the post – the penultimate paragraph of the Plankton section.

  6. [...] Recently, several malware apps have been discovered in the Android Marketplace.  Tech headlines are brimming with descriptions of malware called DroidDream, DroidKungFu, Plankton, & YZHCSMS.  According to Google, just one of these password stealing programs, Plankton, was downloaded over 210,000 times. These malicious programs are capable of stealing personal information, passwords, contacts, emails, browser history, device ids, sending SMS text messages (at a premium cost to you), discretely calling expensive premium numbers, and more.  All while hiding themselves from you, the user.  These apps are hidden within legitimate looking apps that you can download from Google’s official Android Marketplace. Apps poisoned with the Plankton malware are from developer Crazy Apps: Shake To Fake (Fake call); Angry Birds Rio Unlock; Angry Birds Cheater; Angry Birds  Multi User!; Favorite Games Backup; Call Ender; Bring Me Back My Droid!; and Chit Chat. Other apps affected include Guess the Logo (from a developer by the same name) and Snake Kaka, from developer PHILL DIG. Source NCSU [...]

  7. [...] team also uncovered two additional pieces of Android malware last month, Plankton and YZHCSMS. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread). [...]

  8. [...] NC State team, led by Xuxian Jiang, has previously discovered DroidKungFu, Plankton and YZHCSMS – as well as variations on DroidKungFu uncovered last week and a data-stealing vulnerability in [...]

Leave a Reply