Android Market’s Malware Flood Level Rises With Plankton Surge

Yet another Android malware package has been publicized just two weeks after the last one, dubbed “DroidDream Light,” was disclosed.

This latest malware, named “Plankton” by Xuxian Jiang, an assistant professor in North Carolina State University’s computer science department, exploits Dalvik, Android’s process virtual machine, Jiang wrote.

That allowed it remain undetected by traditional antivirus software packages for mobile OSes for more than two months, he stated.

Jiang notified Google June 5 about 10 infected apps in the Android Market, and these apps were immediately suspended pending investigation, he said.

“We’re aware of and have suspended a number of suspicious applications from Android Market,” Google spokesperson Randall Sarafa told LinuxInsider.

“We remove apps and developer accounts that violate our policies,” he added.

Jiang did not respond to requests for comment by press time.

How Plankton Bugs the Google Whale

Plankton is the first malware Jiang’s team knows of that exploits the Dalvik class loading capacity to remain hidden and dynamically extend its own functionality, the researcher said.

Dalvik is an integral part of the OS. Android apps are converted into the Dalvik Executable format before execution.

Apps are infected with Plankton by adding a background service, Jiang wrote.

This service is brought up when the app is run. It collects information, including the device ID and the list of permissions granted to the infected app, then transmits them to a remote server through an HTTP POST message.

The server will return a URL for Plankton to download. This points to a JAR (Java Archive) file containing executable Dalvik bytecode.

JAR files are used to distribute Java applications or libraries in the form of Java class files, associated metadata and resources such as text and images.

Plankton’s Payloads

Once the JAR file’s downloaded, it will be dynamically loaded into the system, Jiang wrote. This allows it to evade static analysis — which is what most antivirus software packages do, thus making it hard to detect.

Jiang’s team found that there are two versions of the JAR payload in Plankton.

These only support some basic bot-related commands that can be invoked remotely, but they don’t provide root exploits, Jiang wrote.

The commands can do various things. These include collecting the bookmark information on the infected device, installing or removing home screen shortcuts, stealing browser history information and collecting runtime log information.

Another function can collect users’ accounts if invoked. This, combined with the capability of dynamically loading a new payload, can let hackers steal users’ accounts or launch root exploits, Jiang wrote.

Coping With the Vermin

Symantec has warned that Android is one of the major targets for hackers, and the Android Market’s rate of growth is reportedly outstripping that of the iTunes App Store.

However, Google so far has only suspended infected apps, then removed them. It’s also possibly taken action against the writers of these apps.

That doesn’t sit well with some security experts.

Google “have to respect the aquatic nature of their environment and must maintain a proper PH before it becomes hazardous to the consumer,” Tom Kellerman, chief technology officer at AirPatrol, told LinuxInsider.

“The open nature of online app markets allows hackers to easily hide malware and phishing exploits within apps for global distribution,” Alicia DiVittorio, a spokesperson for Lookout Mobile Security, told LinuxInsider. Millions of consumers have already been victimized by Android malware, she added.

Things are going to get worse for the Android Market because of its rapid growth, Stephen Gates, director of field engineering at Top Layer, pointed out.

“Since the Android Market is exploding, and today you can even buy a TV that runs Android software, it just makes sense to go after this market with gusto,” Gates told LinuxInsider.

He suggests Google should perhaps force app developers to perform due diligence themselves, or pay to have a third party vet their apps and then divide the Android market up into “Pre-Scanned Apps” and “You’re On Your Own” apps.

“Give the consumers the choice as to whether to download pre-scanned apps or not,” Gates said.


  • Yet another malware beast, or should I say Sea Monster, has raised it’s ugly head! Thanks Richard for your insightful comments. Just one more reason that mobile content providers need to become more diligent when securing their networks. In order to defend against this type of infestation, providers (even Android) can no longer rely on point solutions such as firewalls, IDS/IPS device, or simple IP reputations. Solutions that can provide deep content inspection to detect embedded attacks across the apps marketplace should be implemented to combat these threats. Our company, Wedge Networks has focused on building solutions for years and is leading efforts to prevent bad things from flowing out…or in.

  • Why is it that Google can’t stop this? I realize that they allow Apps to be posted without screening. But there is a main submission site. Why can’t these Apps be screened for malware? Smart phones are just sitting ducks for this malware. I think this is the main problem with open source, open marketplace Apps. The advantage to Apple’s App store is oversight. In these time’s where Malware and hackers seem to have nothing better to do with their skills. We need more oversight from Google to protect their systems. Its obvious from the Sony problems that not enough is being done.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Richard Adhikari
More in Enterprise

LinuxInsider Channels