Google has removed more malware-infected apps from its Android Market, including some that appeared to exploit the popularity of legitimate apps like Angry Birds.
At least 10 more apps were removed from the market, pending investigation, after they were found and reported by assistant professor Xuxian Jiang, PC Magazine reported.
“While continuing an Android-related research project after the discovery of the DroidKungFu and YZHCSMS malware, my research team also came across a new stealthy Android spyware in the Official Android Market,” Jiang said.
Jiang is an assistant professor at North Carolina State University’s Department of Computer Science.
“Our investigation indicates that there are at least 10 infected Android apps in the Official Android Market from three different developers. Its stealthy design also explains why some earlier variants have been there for more than two months without being detected by current mobile anti-virus software,” he added.
He said that one such app, Plankton, is spyware that “does not attempt to root Android phones but instead is designed to be stealthy by running the payload under the radar.”
“In fact, Plankton is the first one that we are aware of that exploits Dalvik class loading capability to stay stealthy and dynamically extend its own functionality,” he said.
There are at least 10 Plankton apps from three different developers, Jiang said.
Last week, Webroot analysts Andrew Brandt and Armando Orozco took a closer look at Plankton and found that it was focused on the popular game series Angry Birds.
“Some of the samples we looked at came as Android apps with names like Angry Birds Rio Unlocker v1.0, Angry Birds Multi User v1.00 or Angry Birds Cheater Trainer Helper V2.0,” they wrote in a blog post.
Installing the apps will generate the message: “Welcome! Simply click on the button below to unlock ALL levels in Angry Birds Rio. This will not delete your scores but might change the number of pineapples and bananas you have.”
But instead of delivering on their promise, the malicious apps install additional code that provide remote access and control of the Android device.
Brandt and Orozco said that the remote access and control will be given to “presumably, the distributor of the malicious apps, whose identity remains unknown at this time.”
However, the Plankton creators labeled their code very distinctly, making it easy to wipe from a phone, Webroot said.
Plankton also appears to provide access to sensitive data on a phone like browser history, bookmarks, and homepage settings in the built-in Android browser.
Other malware apps have worked to obtain root, or administrative, access to the operating system.
Webroot said it is investigating a “command-and-control server, which sends back instructions for the app to download an additional Java .JAR file.”
“Early reports from the university researchers indicate that the payloads are simply reworked versions of the remote access code embedded in the Trojan, modified so they’re slightly harder to detect using existing antivirus signatures,” the researchers said.
The PC Mag article noted that unlike Apple, Google does not monitor its apps once they are in the Android Market, responding only to complaints.
“We don’t generally go back and try to make sure that every app does what it says it’s going to do. [Google is] really trying to maximize the ability of small app developers to get online,” it quoted Alan Davidson, director of public policy at Google, as saying during a recent appearance on Capitol Hill.
How it works
Jiang said that Plankton is included in host apps by adding a background service. Removing this background service does not affect the functionality of the host app.
On the server side, possibly based on the collected information, the server will return back a URL for it to download.
The URL points to a jar file with executable code (i.e., Dalvik bytecode). The jar file is essentially a payload, which once downloaded, will be dynamically loaded (through the standard DexClassLoader).
Doing so will allow the payload to evade static analysis and make it hard to detect. After loading, the init() method of a hardcoded payload class is invoked (through the reflection API in Android).
“Our analysis shows that these payloads do not provide root exploits. Instead, they only support a number of basic bot-related commands that can be remotely invoked,” Jiang said.
“During our investigation, we also identified an interesting function that if invoked can be used to collect user’s accounts. Though our analysis shows that this function is not linked to any supported command, its presence as well as the capability of dynamically loading a new payload can easily turn stealing user’s accounts or even launching root exploits into reality,” he added. – TJD, GMA News