Plankton malware drifts into Android Market

Filed Under: Android, Google, Malware, Mobile, Privacy, SophosLabs


The rate at which we discover new malware samples for the Android platform is increasing. At the beginning of the year we got a few samples every month and today it is not uncommon to get a few every week.

While most of the newly discovered samples are released outside of the official Android Market, some aren't, and it is unfortunate that users cannot rely on Google to prevent malicious users from submitting malicious applications to the Android Market.

Because apps are self-signed, there is no good way to verify that an application is coming from a trusted source. Theft of intellectual property is common, as rogue developers are repackaging versions of legitimate applications and selling them under their own names.

Rants aside, the latest potential attack on the market comes in the form of Plankton malware. Plankton has been included in at least ten applications on the Android Market that have now been removed by Google. The malware was initially discovered by Xuxian Jiang, Assistant Professor at North Carolina State University.

The applications that included the Plankton framework were published on the market for more than two months before anybody noticed anything unusual about them. Some of the applications became very popular and were downloaded over 100,000 times.

I had a look at the functionality of Plankton and the available samples. The majority of existing Android malware is very obvious in its intention to provide some kind of benefit, usually financial, to the attacker. The best examples of this are the SMS Trojans that send SMS messages to premium rate service numbers.

As soon as I started analysing the Plankton code I realized why the malware, if we can call it malware, has gone undiscovered on the Android Market for such a long time.

Plankton is one of those borderline pieces of code whose malicious intent is not immediately obvious. The code suggests that it is a platform, but it does not disclose its purpose. Descriptions of the apps pulled from the Android Market contain the text


This application is brought to you free sponsored by Choopcheec Platform. It adds a search shortcut on the home screen or application screen.

Indeed, when I installed one of the affected apps, an additional shortcut appeared on the home screen.

Plankton search

Initially, I assumed that the original intention of Choopcheec Platform was to serve adverts and make money from search referrals.

It suggests users read the End User License Agreement, an old trick of PUAs (Potentially Unwanted Applications), and this paragraph hints at the real purpose of the Choopcheec Platform:


If at our request you send content (e.g., postings, contest submissions, polling questions) or you send us creative suggestions, ideas, notes, drawings, or other information (collectively, the "Submissions"), such Submissions shall be deemed, and shall remain, the property of Angry Bird Cheater. None of the Submissions shall be subject to any obligation of confidence on the part of Angry Bird Cheater, and Angry Bird Cheater shall not be liable for any use or disclosure of any Submissions. Without limitation of the foregoing, Angry Bird Cheater shall exclusively own all now known or hereafter existing rights to the Submissions of every kind and nature throughout the universe and shall be entitled to unrestricted use of the Submissions for any purpose whatsoever, commercial or otherwise, without compensation to the provider of the Submissions.

The behaviour exhibited by the apps that include the platform is outright suspicious. When an app that contains Plankton is installed, a service is launched in the background. The service checks the details of the installed application, including its security permissions, and sends the details to an HTTP server specified in the code. The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.

Plankton download and load classes.dex

At the time of writing, the server, hosted in the Amazon cloud, was online and serving requests.

Once the JAR file is downloaded, Plankton uses the DexClassLoader object to load the Dex byte code from the downloaded file. This technique for loading additional code from non-Market websites was demonstrated by Jon Oberheide about a year ago. It provides a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.

If this is not enough to make you think that Plankton reeks of malware, let's take a look at the downloaded file and its functionality.

The downloaded Dex code launches another connection to the Command server and listens for commands to execute. The available commands are:

These commands remind me of commands used by the early generation IRC spambots.

Overall, although malicious intent is not immediately apparent, the mechanism of downloading additional code, the command-and-control system, and leakage of confidential information to the Plankton server were sufficient characteristics for us to add detection of Plankton framework as Andr/Plankton-A.

The concern with Plankton's approach of loading additional code is that even security software on Android will not get an opportunity to inspect the downloaded file in the usual "on-access" fashion, but only through scheduled and "on-demand" scans.

The pressure on Google is building on two fronts. On one side, users are demanding better security and on the other side security vendors like Sophos are putting pressure on Google to provide better operating system interfaces so that security software can be more effective against the ever-increasing tide of Android malware.

, , , , ,

You might like

5 Responses to Plankton malware drifts into Android Market

  1. guest · 1176 days ago

    OK. What applications are the bad ones? Not enough to just tell us they're out there and that Google is doing something. Remember news stories are supposed to tell us who, WHAT, why, where and how.

    • vanjasvajcer · 1175 days ago

      Sorry, we have not managed to acquire all affected applications so I could not verify the full list. The applications that contain the Chopcheec platform are allegedly:

      Gun Bros Cheat Unlock All Purchases
      Shake To Fake call
      Favorite Games Backup
      Angry Birds Rio Unlocker
      Angry Birds Multiuser
      Angry Birds Cheater Trainer helper
      Time limit kids users bring me back my Droid
      Chit Chat Robo Chat Bathroom Time Chat

      All the above applications have been developed and published by Crazyapps.

      In addition to the Crazyapps applications there were

      Android Snake (by Chopcheec)
      Guess logo (by Planktond)

      All the offending apps are taken off-line by Google.

  2. wb1 · 1175 days ago

    The question in my mind is would Google do the AppStore thing and clamp down, or would that tick off too many people who think open is the answer to everything? I have both Android and iOS and I have no issue using the AppStore, but I know this is a huge stumbling block to not only Google as a company (because they would have to admit they were wrong), but many individuals I know.

  3. pastriesdan · 895 days ago

    Also an ICS Launcher by Syndicate Apps is infected. Any ideas on how to remove this?

  4. DianeC · 775 days ago

    I just downloaded application called Brightest Flashlight Free and it came up having Android.ads.plankton.b and said it was a threat. So I tried it on my tablet and the same thing. I reported it to Google market.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.