Research Trend Micro - More Adware and PLANKTON Variants Seen in App Stores
0503B2F6C1349F7E1CD7E8B6BF17AC46
11A7767BFE4926458EC84385214B82C9
1485F498084F963801ED76013749C9FA
4A300481411AB1992467959491DF412C
4B7450406A38B522E69DE1426604BF7F
5A1FD697C3ECD3D050B3D88D8A8649A1
66C6A88DF66F0C2CF9194C13809FE05A
67D85DFE26CDA45402CDAC3456D8A863
7220C948659F9990040C9C20D5FD04EF
8C7C8231DF0D799B12274B8B39C882B8
8D52070201F2A81FB1298E133D74057C
99E42DFA2C847FF0511F7C442999FFAA
A4D6033F66DA3BE83CBF80724CA013D1
AA6655B409B647065E19758AE5D242EA
B5BCAB6FE08C9B6229F5D053705DEE9B
B8B434AB21D394DAA0A9A78A515BD517
BC2EEE6F861843EA6FE5A4A14CB44372
CFB7E66B2FB605CC94DEBD01238B4995
DF473E3D789C63BAE99828044DA74500
E4BE39E5955FD3BD7AC97F58E66EF3E5
E7F0656486EEBFD9AB236451FD980BD4
E8063DE12976D371441F15F2C5715627
F134FC245E50F031ED8B4FAE3F1D4EB0
F1AA24C1641471F5FBEF08AE56A53FB4
FEE6F3AB17688600E0E15AED1489D9AE
Download (pass infected) https://www.virustotal.com/file/368eb74ecc99ed42c6697ea5dbe80dfc4ff8c079723c789f486e4dff2de7e5fc/analysis/
SHA256: 368eb74ecc99ed42c6697ea5dbe80dfc4ff8c079723c789f486e4dff2de7e5fc
SHA1: 5aeba908e34545ea6f3b983f438acb12ce5ba7c6
MD5: 99e42dfa2c847ff0511f7c442999ffaa
File size: 3.2 MB ( 3382769 bytes )
File name: 99e42dfa2c847ff0511f7c442999ffaa.virus
File type: Android
Tags: android
Detection ratio: 8 / 42
Analysis date: 2012-09-05 03:35:26 UTC ( 1 day ago )
ClamAV Andr.Plangton-12 20120905
DrWeb Adware.Startapp.origin 20120905
ESET-NOD32 a variant of Android/Adware.AirPush.C 20120904
F-Prot - 20120905
F-Secure Application:Android/Counterclank.A 20120905
Kaspersky HEUR:Trojan.AndroidOS.Plangton.a 20120905
McAfee-GW-Edition - 20120905
Microsoft Trojan:AndroidOS/Plankton.gen!A 20120905
Sophos Andr/NewyearL-B 20120905
VIPRE Trojan.AndroidOS.Plankton.h (v) 20120905
ssdeep
49152:gooKLMF8fK4px1rs1IPiEWsty1JJsYQ7Q+gIx48FU70+ACAG94S/H02mdVv6:gzF8S471g16usty1slNC8FLPCH9Lmrv6
TrID
Android Package (63.3%)
Java Archive (28.7%)
ZIP compressed archive (7.9%)
ExifTool
MIMEType.................: application/zip
ZipRequiredVersion.......: 20
ZipCRC...................: 0x008c7512
FileType.................: ZIP
ZipCompression...........: Deflated
ZipUncompressedSize......: 25284
ZipCompressedSize........: 16519
ZipFileName..............: assets/manga_speak_bold.ttf
ZipBitFlag...............: 0x0808
ZipModifyDate............: 2012:08:30 16:55:15
Androguard
activities...............:
com.wallpapers.belsuefish.NicechristmasActivity, com.airpush.android.PushAds, com.mobclix.android.sdk.MobclixBrowserActivity
AndroidVersionCode.......: 3
Package..................: com.wallpapers.belsuefish
receivers................:
com.airpush.android.UserDetailsReceiver, com.airpush.android.MessageReceiver, com.airpush.android.DeliveryReceiver, com.wallpapers.belsuefish.BootReceiver
AndroidVersionName.......: 1.0
riskindicator............: 52.0
services.................:
com.airpush.android.PushService, com.apperhand.device.android.AndroidSDKProvider
MinSdkVersion............: 7
TargetSdkVersion.........: None
permissions..............:
UNINSTALL_SHORTCUT, READ_SETTINGS, INSTALL_SHORTCUT, INTERNET, INSTALL_SHORTCUT, WRITE_HISTORY_BOOKMARKS, INSTALL_SHORTCUT, ACCESS_NETWORK_STATE, SET_WALLPAPER, READ_HISTORY_BOOKMARKS, READ_SETTINGS, WRITE_EXTERNAL_STORAGE, RECEIVE_BOOT_COMPLETED, READ_SETTINGS, WRITE_SETTINGS, FLASHLIGHT, READ_PHONE_STATE, READ_SETTINGS, VIBRATE, INSTALL_SHORTCUT, READ_SETTINGS, READ_SETTINGS, ACCESS_WIFI_STATE, READ_SETTINGS
First seen by VirusTotal
2012-09-05 03:35:26 UTC ( 1 day ago )
Last seen by VirusTotal
2012-09-05 03:35:26 UTC ( 1 day ago )
File names (max. 25)
99e42dfa2c847ff0511f7c442999ffaa.virus
I disagree that this is Plankton. In fact, it can be argued whether it is malware at all, although I personally am inclined to classify it as such.
ReplyDeleteThese apps just use the AirPush/Apperhand aggressive ad networks.
The name plankton is correct, but the problem functionality present in the original plankton - the ability to download and execute arbitrary dalvik code from the net - was removed from the later versions called Apperhand. So this is not malware, it is classified as a PUP.
ReplyDeletethank you for corrections, I added that it is just related adware :)
Delete