Android/Plankton.A!tr
Analysis
Android/Plankton.A!tr is a malicious application for Android phones which is usually downloaded by Android/Plankton.A!tr.dldr. This malware contacts a remote C&C server and processes a few hard-coded commands from that server such as:
- homepage: sets a given URL as homepage
- bookmarks: gets/sets a list of bookmarks for the phone's browser
- shortcuts: gets/sets a list of shortcuts for the phone's main application page
- dumplog: sends debugging information to the C&C
- activate: registers the device
Technical Details
The details of the commands the malware processes are listed below.
Command Status | [REMOVED]mobile.com/ProtocolGW/protocol/commandstatus | |
---|---|---|
Command Status Request | com.plankton.common.dto.protocol.CommandStatusRequest |
|
Command Status Response | com.plankton.common.dto.protocol.CommandStatusResponse | nextCommandInterval: 15 |
Commands | [REMOVED]mobile.com/ProtocolGW/protocol/commands | |
Commands Request | com.plankton.common.dto.protocol.CommandsRequest |
|
Commands Response | com.plankton.common.dto.protocol.CommandsResponse |
|
Activate | [REMOVED]mobile.com/ProtocolGW/protocol/activate | |
Activation Request | com.plankton.common.dto.protocol.ActivationRequest |
|
Activation Response | >com.plankton.common.dto.protocol.ActivationResponse |
|
Bookmarks | [REMOVED]mobile.com/ProtocolGW/protocol/bookmarks | |
Bookmarks Requests | com.plankton.common.dto.protocol.BookmarksRequest |
|
Bookmarks Requests | com.plankton.common.dto.protocol.BookmarksRequest | bookmarks |
DumpLog | [REMOVED]mobile.com/ProtocolGW/protocol/dumplog | |
DumpLog Requests | com.plankton.common.dto.protocol.DumpLogRequest |
|
History | [REMOVED]mobile.com/ProtocolGW/protocol/history | |
History Requests | com.plankton.common.dto.protocol.HistoryRequest |
|
History Response | com.plankton.common.dto.protocol.HistoryResponse | historyList |
Installation | [REMOVED]mobile.com/ProtocolGW/protocol/installation | |
Installation Requests | com.plankton.common.dto.protocol.InstallationRequest |
|
Installation Response | com.plankton.common.dto.protocol.InstallationResponse |
|
Shortcut | [REMOVED]mobile.com/ProtocolGW/protocol/shortcuts | |
Shortcut Requests | com.plankton.common.dto.protocol.ShortcutRequest |
|
Shortcut Response | com.plankton.common.dto.protocol.ShortcutResponse | shortcutList: includes name, link, status and screen. |
Upgrade | [REMOVED]mobile.com/ProtocolGW/protocol/installation | |
Status | [REMOVED]mobile.com/ProtocolGW/protocol/status | |
Homepage | [REMOVED]mobile.com/ProtocolGW/protocol/homepage | |
Terminate | [REMOVED]mobile.com/ProtocolGW/protocol/terminate | |
Unexpected exception | [REMOVED]mobile.com/ProtocolGW/protocol/unexpectedexception |
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |