North Carolina State University has apparently become our goalie for Android malware, as Xuxian Jiang and his team have found their third batch of Android malware, dubbed “Plankton,” in the past two weeks. And this time, it’s “pretty serious,” according to Andrew Brandt, lead threat research analyst at Webroot. Of course, Brandt and Webroot stand to gain from any malware threat, so we’ll just have to take his opinion with a grain of salt.
As far as the facts go, Plankton “has the ability to remotely access a command-and-control (C&C) server for instructions, and upload additional payloads,” said Brandt. “It uses a very stealthy method to push any malware it wants to phone.” Unlike DroidKungFu and its predecessors, Plankton doesn’t take advantage of a vulnerability to control the phone, but rather calls in other files from the hacker’s server to exploit an unpatched bug in the Android OS. But Plankton doesn’t stop there. The malware also grabs data from the phone, including bookmarks, bookmark history, and the browser home page.
The worst part is the way by which the hackers chose to promote their malware: Angry Birds. Every one of the ten apps pulled by Google were disguised as add-ons or cheats for one of the most popular games in mobile app history, Rovio’s Angry Birds. Of course, none of the apps did what they promised to do, but instead delivered Plankton to the phone.
As said earlier, this isn’t Jiang’s first Android malware discovery, as his team found DroidKungFu in Chinese app stores on June 5, and two days later reported “YZHCSMS,” a Trojan horse that infiltrates the phone and sends text messages to premium numbers. Since early March when Google had to yank over 50 apps from the Market, the Android platform has been bombarded with malware attacks, including DroidDream and DroidDreamLight.
Not to worry though, Google seems to have scrubbed the Market clean, so go ahead and download those Angry Birds cheats to your heart’s content. Just make sure to use common sense: unless you trust the source, keep app downloads in the Android Market, and double-check that app permissions match app functionality.