Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:AndroidOS/Plankton.gen!A is a trojan that affects mobile devices running the Android operating system. It may arrive as part of repackaged Android apps and downloaded from third-party Android app markets. It changes the device's settings, and steals information stored in the device.
Threat behavior
Trojan:AndroidOS/Plankton.gen!A is a trojan that affects mobile devices running the Android operating system. It may arrive as part of repackaged Android apps and downloaded from third-party Android app markets. It changes the device's settings, and steals information stored in the device.
Installation
Once installed, it runs in the background as the service "Apperhand". In the wild, we have seen it use the file name "iPhone_Lock_Screen_v1.7_Pro.apk", as well as the names of other repackaged applications.
Payload
Runs commands
Trojan:AndroidOS/Plankton.gen!A can run the following commands:
/activate - responds to requests for activation
/homepage - sets homepage of the device's browser
/commandstatus - receives status if a failure/exception or success is returned from the malware routines
/bookmarks - gets and sets bookmarks
/shortcuts - gets and sets application shortcuts
/notifications - gets and sets the content of the notification/response
/terminate - terminates the service
/info - processes succession of commands
/unexpectedexception - returns an error
/optout - validates responses and parameters returned from the above commands
Connects to servers
Trojan:AndroidOS/Plankton.gen!A sends HTTP POST requests in the background to the server "www.apperhand.com" containing data stolen from the device. The data includes, but may not be limited to:
First Time Activation
Application ID
Application Details
Brand
Build number
Developer ID
Device
Display metrics
IMEI
Locale
Protocol version
Release version
SDK version
Source IP
User Agent
User ID
It also contacts "www.searchmobileonline.com" to send information related to search engine queries.