Clicky

Friday, January 27, 2012

Android Counterclank


Name:                   Counterclank
MD5:                    3d8e1108999dc35c5b5202985547a25f
Sample Credits:   with many thanks to Sanjay, January 27, 2012
Research:           

Appriva: G
oogle Android Market is infected from new Plankton (Apperhand) variant
Symantec.Android.Counterclank

Additional samples - thanks to Tim "timv"

File: com.christmasgame.balloon.apk
MD5:  c9a2e226cd001a3a4fab1046a10ae50d

File: com.christmasgame.deal.apk
MD5:  937c84956f6b23c98649fb658138ef93

File: com.christmasgame.wildjump.apk
MD5:  bbb02e438d7eaea9e9c4dd013899410c

File: com.redmicapps.puzzles.ladies2.apk
MD5:  95bcbe87750cc5dc2c2d2b02505effee

File: com.redmicapps.puzzles.ladies3.apk
MD5:  3d8e1108999dc35c5b5202985547a25f



Download  - password infected 

Download additional samples - password infected

VirusTotal
SHA256:     c03940b31ca1b42fe1899c9c0714647bbfedc0da42f849cf6d026a381f84ab9e
SHA1:     f51f9194839426cd6f3d53345702b9554a4fe86d
MD5:     3d8e1108999dc35c5b5202985547a25f
File name:     com.redmicapps.puzzles.ladies3_v1.02.apk
Detection ratio:     4 / 42
Analysis date:     2012-01-28 05:06:24 UTC ( 3 minutes ago )
Kaspersky     HEUR:Trojan.AndroidOS.Plangton     20120128
NOD32     a variant of Android/Plankton.G     20120127
PCTools     Android.Counterclank     20120128
Symantec     Android.Counterclank     20120128

https://www.virustotal.com/file/dcb07963bc45514aae762c3236cc1fa2e69a6e4a86d3c22d8dd57e9d03bae1fe/analysis/
SHA256:     dcb07963bc45514aae762c3236cc1fa2e69a6e4a86d3c22d8dd57e9d03bae1fe
SHA1:     3fc1f28131fe9204014fcc10ddb7b1150396f01e
MD5:     c9a2e226cd001a3a4fab1046a10ae50d
File size:     1.4 MB ( 1475968 bytes )
File name:     BallonGame.virus
Detection ratio:     11 / 43
Analysis date:     2012-02-01 21:27:17 UTC ( 1 day, 6 hours ago )
ClamAV     Andr.Plangton-12     20120201
Comodo     UnclassifiedMalware     20120201
DrWeb     Android.Plankton.7.origin     20120201
Fortinet     Riskware/CounterClank!Android     20120201
Kaspersky     HEUR:Trojan.AndroidOS.Plangton.a     20120201
NOD32     a variant of Android/Plankton.H     20120201
PCTools     Android.Counterclank     20120201
Sophos     Andr/NewyearL-B     20120201
Symantec     Android.Counterclank     20120201
TrendMicro     AndroidOS_PLANKTON.AB     20120201
TrendMicro-HouseCall     AndroidOS_PLANKTON.AB     20120201

SHA256:     388d67fda36ebf895b99206455cc6964afee7df7c73ae91348cd2f8c2c78be7a
SHA1:     4a4fe9a24f0388fbb32cb4adc3667d775d53cf77
MD5:     937c84956f6b23c98649fb658138ef93
File size:     2.5 MB ( 2600304 bytes )
File name:     Deal


https://www.virustotal.com/file/388d67fda36ebf895b99206455cc6964afee7df7c73ae91348cd2f8c2c78be7a/analysis/
Detection ratio:     14 / 43
Analysis date:     2012-02-02 02:44:10 UTC ( 1 day, 1 hour ago )
ClamAV    Andr.Plangton-12
Sophos    Andr/NewyearL-B
PCTools    Android.Counterclank
Symantec    Android.Counterclank
DrWeb    Android.Plankton.7.origin
McAfee    Android/Apper
McAfee-GW-Edition    Android/Apper
NOD32    Android/Plankton.G
TrendMicro    AndroidOS_PLANKTON.AB
TrendMicro-HouseCall    AndroidOS_PLANKTON.AB
Kaspersky    HEUR:Trojan.AndroidOS.Plangton.a
Fortinet    Riskware/CounterClank!Android
Antiy-AVL    Trojan/AndroidOS.Plangton
Comodo    UnclassifiedMalware


https://www.virustotal.com/file/fc0bb164998e7a851895a0c20d33c4812d8bed2884d9788c2dc057f8e49d3d2b/analysis/
SHA256:     fc0bb164998e7a851895a0c20d33c4812d8bed2884d9788c2dc057f8e49d3d2b
SHA1:     d2ecd6f34e412c622dd65b8b4eafb3d886a2c2bd
MD5:     bbb02e438d7eaea9e9c4dd013899410c
File size:     1.6 MB ( 1669169 bytes )
File name:     Wild Man.apk
File type:     ZIP
Detection ratio:     10 / 43
Analysis date:     2012-02-01 08:22:45 UTC ( 1 day, 19 hours ago )
NOD32    a variant of Android/Plankton.G
ClamAV    Andr.Plangton-12
Sophos    Andr/NewyearL-B
DrWeb    Android.Plankton.7.origin
GData    Android:Plankton-G
Avast    Android:Plankton-G [Trj]
TrendMicro    AndroidOS_PLANKTON.AB
TrendMicro-HouseCall    AndroidOS_PLANKTON.AB
Kaspersky    HEUR:Trojan.AndroidOS.Plangton.a
Comodo    UnclassifiedMalware


https://www.virustotal.com/file/e7d1ebcd217935fbb443c67280afe697b72cd1ce042e4fa780b38c08a881221f/analysis/
SHA256:     e7d1ebcd217935fbb443c67280afe697b72cd1ce042e4fa780b38c08a881221f
SHA1:     3d29ed9827564d5200467d7d17b51e870717b7f5
MD5:     95bcbe87750cc5dc2c2d2b02505effee
File size:     4.5 MB ( 4727853 bytes )
File name:     Sexy Ladies-2.apk
File type:     ZIP
Detection ratio:     9 / 43
Analysis date:     2012-02-02 02:40:17 UTC

ClamAV Andr.Plangton-12
Sophos Andr/NewyearL-B
DrWeb Android.Plankton.7
Fortinet Android/NewyearL.B
NOD32 Android/Plankton.G
TrendMicro AndroidOS_PLANKTON.P
TrendMicro-HouseCall AndroidOS_PLANKTON.P
Kaspersky HEUR:Trojan.AndroidOS.Plangton.a
Comodo UnclassifiedMalware

https://www.virustotal.com/file/c03940b31ca1b42fe1899c9c0714647bbfedc0da42f849cf6d026a381f84ab9e/analysis/
SHA256:     c03940b31ca1b42fe1899c9c0714647bbfedc0da42f849cf6d026a381f84ab9e
SHA1:     f51f9194839426cd6f3d53345702b9554a4fe86d
MD5:     3d8e1108999dc35c5b5202985547a25f
File size:     4.6 MB ( 4818527 bytes )
File name:     f51f9194839426cd6f3d53345702b9554a4fe86d
File type:     ZIP
Detection ratio:     17 / 43
Analysis date:     2012-02-01 11:35:16 UTC ( 1 day, 17 hours ago )
ClamAV     Andr.Plangton-12
Sophos     Andr/NewyearL-B
PCTools     Android.Counterclank
Symantec     Android.Counterclank
Ikarus     Android.Plankton
Emsisoft     Android.Plankton!IK
DrWeb     Android.Plankton.7
McAfee     Android/Apper
McAfee-GW-Edition     Android/Apper
NOD32     Android/Plankton.G
TrendMicro     AndroidOS_PLANKTON.U
TrendMicro-HouseCall     AndroidOS_PLANKTON.U
Kaspersky     HEUR:Trojan.AndroidOS.Plangton.a
Avast     Other:Malware-gen
GData     Other:Malware-gen
Fortinet     Riskware/CounterClank!Android
Comodo     UnclassifiedMalware

4 comments:

  1. 1) The download link is wrong - it points only to the 5th sample.

    2) The first and the third sample are still available from the Android Market:

    https://market.android.com/developer?pub=Ogre+Games

    ReplyDelete
    Replies
    1. 2nd download item says counterclank-pup and it is a folder with 5 samples in it.

      Delete
  2. This is a better research on it. And it is dated earlier than the Symantec one.

    http://www.appriva.com/blog/android-security.php/google-android-market-is-infected

    ReplyDelete