Researchers at NC State have identified two new pieces of Android malware, called Plankton and YZHCSMS. Plankton is extremely stealthy, steals user information and was found in 10 applications on Google’s official Android Market –which have been downloaded more than 210,000 times. YZHCSMS incurs hidden charges on users’ phone bills, and was found in both the official Android Market and in third-party app stores.
The research team, led by NC State’s Xuxian Jiang, discovered the Plankton and YZHCSMS malware shortly after uncovering the DroidKungFu malware late last week. We’ll tackle the two pieces of malware separately.
Plankton is exceptionally stealthy, even by malware standards. It piggybacks onto a host app and, once installed, collects your device ID and the permissions you’ve granted the host app (i.e., the data you’ve allowed that app to access). Plankton then sends that information to a remote server.
This is where things get interesting. The remote server pushes a dynamic payload onto the smartphone. Once loaded, the program is executed, taking advantage of the host app’s permissions to access information on the phone, including: bookmarks, browsing history and the runtime log (which lets them see what’s going on in the phone itself).
More alarming, Plankton shows potential as a delivery mechanism for more nefarious malware – such as “root exploits” that could be used to take over your smartphone completely. However, at this point, researchers have only observed Plankton being used to harvest user data.
For those of you who are tech-minded, Jiang says: “Plankton is the first malware that we are aware of that exploits Dalvik class loading capability to dynamically extend malware functionality while staying stealthy or making existing static analysis less effective.” Jiang’s technical overview of Plankton is available here.
Plankton has been identified in at least 10 free apps, from three different developers, all of which were available on Google’s Android Market. At press time, Jiang had notified Google and they had suspended the apps pending an internal investigation. However, some of these apps had been in the Android Market for over two months and were downloaded hundreds of thousands of times. One app alone had been downloaded well over 100,000 times.
Here is the list of developers and apps associated with Plankton – Applications from developer Crazy Apps include: Shake To Fake (Fake call); Angry Birds Rio Unlock; Angry Birds Cheater; Angry Birds Multi User!; Favorite Games Backup; Call Ender; Bring Me Back My Droid!; and Chit Chat. Other apps affected include Guess the Logo (from a developer by the same name) and Snake Kaka, from developer PHILL DIG.
Because the Plankton malware is so stealthy, and was found in a trustworthy app market, there’s not a lot you can do to defend yourself from it. [Note: Dark Reading reports that Lookout Security thinks Plankton may be aggressive spyware, rather than malware - but is still studying the code.]
Like Plankton, YZHCSMS sneaks into your phone on an infected app. Otherwise, YZHCSMS is a completely different animal. Once it is on your phone, it retrieves a target phone number (generally a relatively expensive “premium” number) from a remote server, and then sends it a text (or SMS) message – incurring a charge on your phone. It repeats this process – retrieving a target number and sending it a message – every 50 minutes. Wouldn’t you notice this, when you got your first bill? Not necessarily. The YZHCSMS malware tries to cover its tracks by removing any evidence of these text messages, as well as billing messages received from the service provider. Jiang’s technical overview of YZHCSMS is available here.
Jiang’s team has found that YZHCSMS has been in the official Android Market for at least three months, and has also found this malware in alternative Chinese app markets and forums.
Note: Jiang’s team identified DroidKungFu earlier this month, and has worked with a number of mobile anti-virus software companies to detect or block the malware. In January, Jiang’s team identified a data-stealing vulnerability in Android 2.3 (Gingerbread).