virus logo Mobile Virus

Android/Plankton.A!tr

description-logoAnalysis

Android/Plankton.A!tr is a malicious application for Android phones which is usually downloaded by Android/Plankton.A!tr.dldr. This malware contacts a remote C&C server and processes a few hard-coded commands from that server such as:

  • homepage: sets a given URL as homepage
  • bookmarks: gets/sets a list of bookmarks for the phone's browser
  • shortcuts: gets/sets a list of shortcuts for the phone's main application page
  • dumplog: sends debugging information to the C&C
  • activate: registers the device


Technical Details


The details of the commands the malware processes are listed below.
Command Status[REMOVED]mobile.com/ProtocolGW/protocol/commandstatus
Command Status Request com.plankton.common.dto.protocol.CommandStatusRequest
  • statuses: {"message":"SABABA!!!","status":"SUCCESS","command":"ACTIVATION","id":"fe872cfc-68ff-4296-a100-731b3f3179b2","parameters":null}
  • applicationDetails:
    {"applicationId":"325842966#752469853",
    "build":{"brand":"generic","device":"generic","manufacturer":"unknown","model":"sdk","versionRelease":"2.2","versionSDKInt":8},
    "deviceId":"000000000000000",
    "displayMetrics":{"density":1.0,"densityDpi":160,"heightPixels":480,"scaledDensity":1.0,"widthPixels":320,"xdpi":160.0,"ydpi":160.0},
    "locale":"en_US",
    "protocolVersion":"0.0.2",
    "userAgent":"Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF42) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
    "userId":"NOT IN USE!!!"}}
Command Status Response com.plankton.common.dto.protocol.CommandStatusResponse nextCommandInterval: 15
Commands[REMOVED]mobile.com/ProtocolGW/protocol/commands
Commands Request com.plankton.common.dto.protocol.CommandsRequest
  • initiationType: "first time"
  • needSpecificParameters: true
  • applicationDetails: see above
Commands Response com.plankton.common.dto.protocol.CommandsResponse
  • commands: {"id":"fe872cfc-68ff-4296-a100-731b3f3179b2","parameters":null,"command":"ACTIVATION"}
  • commandsInterval: 15
Activate[REMOVED]mobile.com/ProtocolGW/protocol/activate
Activation Request com.plankton.common.dto.protocol.ActivationRequest
  • missingParameters: ACTIVATED
  • firstTimeActivation: true
  • applicationDetails
Activation Response >com.plankton.common.dto.protocol.ActivationResponse
  • activation: parameters:
    "LAUNCHERS_LIST":"com.android.launcher2.settings;com.android.launcher.settings;"
    "LAUNCHER_NAME":"com.android.launcher2.settings"
  • eula: http://wwww.our-ula.com
Bookmarks[REMOVED]mobile.com/ProtocolGW/protocol/bookmarks
Bookmarks Requests com.plankton.common.dto.protocol.BookmarksRequest
  • bookmarks
  • applicationDetails
Bookmarks Requests com.plankton.common.dto.protocol.BookmarksRequest bookmarks
DumpLog[REMOVED]mobile.com/ProtocolGW/protocol/dumplog
DumpLog Requests com.plankton.common.dto.protocol.DumpLogRequest
  • logDump:
    zipped: boolean
    log: NOT PRINTED
    filterExpression:
    causedCommand:
    commandId:
  • applicationDetails
History[REMOVED]mobile.com/ProtocolGW/protocol/history
History Requests com.plankton.common.dto.protocol.HistoryRequest
  • historyList
  • applicationDetails
History Response com.plankton.common.dto.protocol.HistoryResponse historyList
Installation[REMOVED]mobile.com/ProtocolGW/protocol/installation
Installation Requests com.plankton.common.dto.protocol.InstallationRequest
  • permissions
  • currentVersion
  • applicationDetails
Installation Response com.plankton.common.dto.protocol.InstallationResponse
  • locationURL
  • fileName
Shortcut[REMOVED]mobile.com/ProtocolGW/protocol/shortcuts
Shortcut Requests com.plankton.common.dto.protocol.ShortcutRequest
  • shortcutList
  • applicationDetails
Shortcut Response com.plankton.common.dto.protocol.ShortcutResponse shortcutList: includes name, link, status and screen.
Upgrade[REMOVED]mobile.com/ProtocolGW/protocol/installation
Status[REMOVED]mobile.com/ProtocolGW/protocol/status
Homepage[REMOVED]mobile.com/ProtocolGW/protocol/homepage
Terminate[REMOVED]mobile.com/ProtocolGW/protocol/terminate
Unexpected exception[REMOVED]mobile.com/ProtocolGW/protocol/unexpectedexception

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-05-18 90.02410
2022-05-11 90.02197
2022-01-05 89.08423
2021-12-22 89.08003
2021-12-01 89.07373
2021-11-24 89.07163
2021-11-10 89.06744
2021-10-27 89.06323
2021-06-05 86.00700
2021-05-26 86.00457
ID 2805975
Released Jun 14, 2011
Description
Updated		 Jun 16, 2011
Aliases .
Platform Profile Android platform