Trojan:AndroidOS/Plankton.gen!A

Trojan:AndroidOS/Plankton.gen!A is a trojan that affects mobile devices running the Android operating system. It may arrive as part of repackaged Android apps and downloaded from third-party Android app markets. It changes the device's settings, and steals information stored in the device.

Installation

Once installed, it runs in the background as the service "Apperhand". In the wild, we have seen it use the file name "iPhone_Lock_Screen_v1.7_Pro.apk", as well as the names of other repackaged applications.

Payload

Runs commands

Trojan:AndroidOS/Plankton.gen!A can run the following commands:

• /activate - responds to requests for activation
• /homepage - sets homepage of the device's browser
• /commandstatus - receives status if a failure/exception or success is returned from the malware routines
• /bookmarks - gets and sets bookmarks
• /shortcuts - gets and sets application shortcuts
• /notifications - gets and sets the content of the notification/response
• /terminate - terminates the service
• /info - processes succession of commands
• /unexpectedexception - returns an error
• /optout - validates responses and parameters returned from the above commands

Connects to servers

Trojan:AndroidOS/Plankton.gen!A sends HTTP POST requests in the background to the server "www.apperhand.com" containing data stolen from the device. The data includes, but may not be limited to:

• First Time Activation
• Application ID
• Application Details
• Brand
• Build number
• Developer ID
• Device
• Display metrics
• IMEI
• Locale
• Protocol version
• Release version
• SDK version
• Source IP
• User Agent
• User ID

It also contacts "www.searchmobileonline.com" to send information related to search engine queries.

Analysis by Marianne Mallen