Mobile VirusAndroid/Plankton.A!tr.dldr
Analysis
Android/Plankton.A!tr.dldr is a trojan downloader for Android mobile phones.
This means that, under the cover of another application (such as an unlocker for the
Angry Birds Rio game), it actually downloads in background other malicious applications.
Of course, the downloaded applications may vary, but so far, they have been known to install
an application which is able to respond to a few hard-coded commands such as
homepage (set a given URL as homepage for the phone), bookmarks (send and set new bookmarks
for the phone's browser), shortcuts (send current shortcuts and set new ones on the Android
home panel), dumplog (send developer information when an unexpected error occurs) etc.
Android/Plankton.A!tr.dldr has been known to trojan the following applications. Please
check your phone if you installed one of those:
- com.crazyapps.gun.bros.cheat.unlock.all.purchases.helper
- com.crazyapps.shake.to.fake.call
- com.crazyapps.favorite.games.backup
- com.crazyapps.angry.birds.rio.unlocker
- com.crazyapps.angry.birds.multi.user
- com.crazyapps.angry.birds.cheater.trainer.helper
- com.crazyapps.time.limit.kids.users.bring.me.back.my.droid
- com.crazyapps.chit.chat.robo.chat.bathroom.time.chat
- com.choopcheec.android.snake
- com.planktond.guesslogo
Technical Details
Android/Plankton.A!tr.dldr initially starts a service named AndroidMDKService. In some samples, its exact class path is com.plankton.device.android.service.AndroidMDKService.
The malware reads 2 URLs from the Android package (in res/strings.xml):
- M_INSTALLATION_URL: URL to contact to download other malicious applications.
http://[REMOVED]mobile.com/ProtocolGW/installation
- M_SERVER_URL: base URL for the downloaded malicious application to communicate with its C&C
http://[REMOVED]mobile.com/ProtocolGW/protocol
The fact the malware downloads malware or not is regulated by a boolean named needToUpgrade, and which is stored in a shared preferences file (plankton_upgrade). Once a new JAR has successfully been downloaded, the needToUpgrade flag is reset to 0 (which means new download is not required), and the initProvider() method is called.
At this stage, if an error occurs, a status message is posted via HTTP to the C&C.
The initProvider() methods dynamically loads the malicious downloaded class and invokes an init() method for that class. This is how the new malicious applications gets started.
In its communication with the remote server, the malware typically sends the mobile phone's IMEI, brand, bersion, resolution, user agent.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2023-03-06 | 91.01181 |