Plankton malware drifts into Android Market

The rate at which we discover new malware samples for the Android platform is increasing. At the beginning of the year we got a few samples every month and today it is not uncommon to get a few every week.

While most of the newly discovered samples are released outside of the official Android Market, some aren’t, and it is unfortunate that users cannot rely on Google to prevent malicious users from submitting malicious applications to the Android Market.

Because apps are self-signed, there is no good way to verify that an application is coming from a trusted source. Theft of intellectual property is common, as rogue developers are repackaging versions of legitimate applications and selling them under their own names.

Rants aside, the latest potential attack on the market comes in the form of Plankton malware. Plankton has been included in at least ten applications on the Android Market that have now been removed by Google. The malware was initially discovered by Xuxian Jiang, Assistant Professor at North Carolina State University.

The applications that included the Plankton framework were published on the market for more than two months before anybody noticed anything unusual about them. Some of the applications became very popular and were downloaded over 100,000 times.

I had a look at the functionality of Plankton and the available samples. The majority of existing Android malware is very obvious in its intention to provide some kind of benefit, usually financial, to the attacker. The best examples of this are the SMS Trojans that send SMS messages to premium rate service numbers.

As soon as I started analysing the Plankton code I realized why the malware, if we can call it malware, has gone undiscovered on the Android Market for such a long time.

Plankton is one of those borderline pieces of code whose malicious intent is not immediately obvious. The code suggests that it is a platform, but it does not disclose its purpose. Descriptions of the apps pulled from the Android Market contain the text

This application is brought to you free sponsored by Choopcheec Platform. It adds a search shortcut on the home screen or application screen.

Indeed, when I installed one of the affected apps, an additional shortcut appeared on the home screen.

Plankton search

Initially, I assumed that the original intention of Choopcheec Platform was to serve adverts and make money from search referrals.

It suggests users read the End User License Agreement, an old trick of PUAs (Potentially Unwanted Applications), and this paragraph hints at the real purpose of the Choopcheec Platform:

If at our request you send content (e.g., postings, contest submissions, polling questions) or you send us creative suggestions, ideas, notes, drawings, or other information (collectively, the "Submissions"), such Submissions shall be deemed, and shall remain, the property of Angry Bird Cheater. None of the Submissions shall be subject to any obligation of confidence on the part of Angry Bird Cheater, and Angry Bird Cheater shall not be liable for any use or disclosure of any Submissions. Without limitation of the foregoing, Angry Bird Cheater shall exclusively own all now known or hereafter existing rights to the Submissions of every kind and nature throughout the universe and shall be entitled to unrestricted use of the Submissions for any purpose whatsoever, commercial or otherwise, without compensation to the provider of the Submissions.

The behaviour exhibited by the apps that include the platform is outright suspicious. When an app that contains Plankton is installed, a service is launched in the background. The service checks the details of the installed application, including its security permissions, and sends the details to an HTTP server specified in the code. The server replies with a URL that is used to download an additional JAR file with custom code that is loaded by the downloader.

Plankton download and load classes.dex

At the time of writing, the server, hosted in the Amazon cloud, was online and serving requests.

Once the JAR file is downloaded, Plankton uses the DexClassLoader object to load the Dex byte code from the downloaded file. This technique for loading additional code from non-Market websites was demonstrated by Jon Oberheide about a year ago. It provides a potential attacker with a method of circumventing checks of application functionality by Google or by another Android Market provider.

If this is not enough to make you think that Plankton reeks of malware, let’s take a look at the downloaded file and its functionality.

The downloaded Dex code launches another connection to the Command server and listens for commands to execute. The available commands are:

These commands remind me of commands used by the early generation IRC spambots.

Overall, although malicious intent is not immediately apparent, the mechanism of downloading additional code, the command-and-control system, and leakage of confidential information to the Plankton server were sufficient characteristics for us to add detection of Plankton framework as Andr/Plankton-A.

The concern with Plankton’s approach of loading additional code is that even security software on Android will not get an opportunity to inspect the downloaded file in the usual “on-access” fashion, but only through scheduled and “on-demand” scans.

The pressure on Google is building on two fronts. On one side, users are demanding better security and on the other side security vendors like Sophos are putting pressure on Google to provide better operating system interfaces so that security software can be more effective against the ever-increasing tide of Android malware.