The following device changes may indicate the presence of this malware:
The presence of the following service: "AndroidMDKProvider"
Trojan:AndroidOS/Plankton.A is a trojan that affects devices running the Android operating system, such as mobile phones. It may arrive as part of repackaged Android applications and downloaded from third-party Android application markets. Once the application is installed, it collects information about the mobile device and performs actions based on instructions from a remote attacker.
Trojan:AndroidOS/Plankton.A is a trojan that affects devices running the Android operating system, such as mobile phones. It may arrive as part of repackaged Android applications and downloaded from third-party Android application markets. Once the application is installed, Plankton.A runs in the background as the service "AndroidMDKProvider".
Downloads other components The malicious service sends HTTP POST requests in the background to the server "searchwebmobile.com" and waits for a reply. The reply contains a download URL for a file that may be updated on the server's end. As of this writing, it downloads a JAR file containing a "classes.dex" file (also detected as Trojan:AndroidOS/Plankton.A) that is installed via the "DexClassLoader" object. This type of installation bypasses Android market's application verification.
Perform functions based on commands
Trojan:AndroidOS/Plankton.A can act as a command-and-control (C&C) server and wait for several commands to perform the following actions:
/activate - responds to requests for activation
/homepage - sets homepage of the device's browser
/commandstatus - receives status from the server if a failure or successful routine occurs
/bookmarks - gets and sets bookmarks
/shortcuts - gets and sets application shortcuts
/history - gets history of browsing habits
/terminate - terminates the service
/status - returns whether to add, delete, update, or check if it exists in the device
/dumplog - gets the log of acquired debug information from the device which can be sent as a ZIP archive
/unexpectedexception - returns when an error occurs
/installation - installs downloaded file or upgrades installation to a new downloaded file
Collects information Trojan:AndroidOS/Plankton.A can collect the following information from the compromised device and send it to a server via HTTP POST: