Mobile Virus

Android/Plankton.A!tr

Analysis

Android/Plankton.A!tr is a malicious application for Android phones which is usually downloaded by Android/Plankton.A!tr.dldr. This malware contacts a remote C&C server and processes a few hard-coded commands from that server such as:

  • homepage: sets a given URL as homepage
  • bookmarks: gets/sets a list of bookmarks for the phone's browser
  • shortcuts: gets/sets a list of shortcuts for the phone's main application page
  • dumplog: sends debugging information to the C&C
  • activate: registers the device


Technical Details


The details of the commands the malware processes are listed below.
Command Status [REMOVED]mobile.com/ProtocolGW/protocol/commandstatus
Command Status Request com.plankton.common.dto.protocol.CommandStatusRequest
  • statuses: {"message":"SABABA!!!","status":"SUCCESS","command":"ACTIVATION","id":"fe872cfc-68ff-4296-a100-731b3f3179b2","parameters":null}
  • applicationDetails:
    {"applicationId":"325842966#752469853",
    "build":{"brand":"generic","device":"generic","manufacturer":"unknown","model":"sdk","versionRelease":"2.2","versionSDKInt":8},
    "deviceId":"000000000000000",
    "displayMetrics":{"density":1.0,"densityDpi":160,"heightPixels":480,"scaledDensity":1.0,"widthPixels":320,"xdpi":160.0,"ydpi":160.0},
    "locale":"en_US",
    "protocolVersion":"0.0.2",
    "userAgent":"Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF42) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1",
    "userId":"NOT IN USE!!!"}}
Command Status Response com.plankton.common.dto.protocol.CommandStatusResponse nextCommandInterval: 15
Commands [REMOVED]mobile.com/ProtocolGW/protocol/commands
Commands Request com.plankton.common.dto.protocol.CommandsRequest
  • initiationType: "first time"
  • needSpecificParameters: true
  • applicationDetails: see above
Commands Response com.plankton.common.dto.protocol.CommandsResponse
  • commands: {"id":"fe872cfc-68ff-4296-a100-731b3f3179b2","parameters":null,"command":"ACTIVATION"}
  • commandsInterval: 15
Activate [REMOVED]mobile.com/ProtocolGW/protocol/activate
Activation Request com.plankton.common.dto.protocol.ActivationRequest
  • missingParameters: ACTIVATED
  • firstTimeActivation: true
  • applicationDetails
Activation Response >com.plankton.common.dto.protocol.ActivationResponse
  • activation: parameters:
    "LAUNCHERS_LIST":"com.android.launcher2.settings;com.android.launcher.settings;"
    "LAUNCHER_NAME":"com.android.launcher2.settings"
  • eula: http://wwww.our-ula.com
Bookmarks [REMOVED]mobile.com/ProtocolGW/protocol/bookmarks
Bookmarks Requests com.plankton.common.dto.protocol.BookmarksRequest
  • bookmarks
  • applicationDetails
Bookmarks Requests com.plankton.common.dto.protocol.BookmarksRequest bookmarks
DumpLog [REMOVED]mobile.com/ProtocolGW/protocol/dumplog
DumpLog Requests com.plankton.common.dto.protocol.DumpLogRequest
  • logDump:
    zipped: boolean
    log: NOT PRINTED
    filterExpression:
    causedCommand:
    commandId:
  • applicationDetails
History [REMOVED]mobile.com/ProtocolGW/protocol/history
History Requests com.plankton.common.dto.protocol.HistoryRequest
  • historyList
  • applicationDetails
History Response com.plankton.common.dto.protocol.HistoryResponse historyList
Installation [REMOVED]mobile.com/ProtocolGW/protocol/installation
Installation Requests com.plankton.common.dto.protocol.InstallationRequest
  • permissions
  • currentVersion
  • applicationDetails
Installation Response com.plankton.common.dto.protocol.InstallationResponse
  • locationURL
  • fileName
Shortcut [REMOVED]mobile.com/ProtocolGW/protocol/shortcuts
Shortcut Requests com.plankton.common.dto.protocol.ShortcutRequest
  • shortcutList
  • applicationDetails
Shortcut Response com.plankton.common.dto.protocol.ShortcutResponse shortcutList: includes name, link, status and screen.
Upgrade [REMOVED]mobile.com/ProtocolGW/protocol/installation
Status [REMOVED]mobile.com/ProtocolGW/protocol/status
Homepage [REMOVED]mobile.com/ProtocolGW/protocol/homepage
Terminate [REMOVED]mobile.com/ProtocolGW/protocol/terminate
Unexpected exception [REMOVED]mobile.com/ProtocolGW/protocol/unexpectedexception

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.