Analysis by: Bob Pan
 THREAT SUBTYPE:

Information Stealer

 PLATFORM:

Android OS

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Via app stores

This malicious app is known as Brightest Flashlight Free.

It gathers various information on the affected device. It may connect to a C&C server to send information gathered.

It is capable of setting bookmarks, setting browser homepage, and getting shortcuts on the device.

This backdoor may be manually installed by a user.

It does not have any propagation routine.

It does not drop any other file.

It does not have any downloading capability.

  TECHNICAL DETAILS

File Size: 1592291 bytes
File Type: APK
Memory Resident: Yes
Initial Samples Received Date: 16 Aug 2012
Payload: Compromises system security, Connects to URLs/IPs, Steals information

Arrival Details

This backdoor may be downloaded from the following remote site(s):

  • https://play.google.com/store/apps/details?id={BLOCKED}.brightestflashlight.free

It may be manually installed by a user.

Propagation

This backdoor does not have any propagation routine.

Dropping Routine

This backdoor does not drop any other file.

Download Routine

This backdoor does not have any downloading capability.

NOTES:

This malicious app is known as Brightest Flashlight Free.

It may connect to the following C&C server and send details regarding the infected device:

  • http://www.{BLOCKED}and.com/ProtocolGW/protocol/commands

The device details it sends include the following:

  • Android OS version
  • Brand
  • Device
  • Device ID (IMEI)
  • Display metrics
  • Locale
  • Manufacturer
  • Model
  • SDK version

It waits for the following commands from the server:

  • /activate
  • /bookmarks
  • /homepage
  • /info
  • /notifications
  • /optout
  • /shortcuts
  • /terminate
  • /dump_log
  • /commands_status
  • /unexpected_exception
  • /upgrade
  • /installation
  • /eula
  • /eula_status

It has the capability to do the following routines:

  • Get / set bookmarks
  • Get / set homepage of the browser
  • Get / set notification link, title, icon and text
  • Get / set shortcuts

It does not have rootkit capabilities.

It does not exploit any vulnerability.

  SOLUTION

Minimum Scan Engine: 9.200
TMMS Pattern File: 1.175.00
TMMS Pattern Date: 16 Aug 2012

Step 1

Trend Micro Mobile Security Solution

Trend Micro Mobile Security Personal Edition protects Android smartphones and tablets from malicious and Trojanized applications. The App Scanner is free and detects malicious and Trojanized apps as they are downloaded, while SmartSurfing blocks malicious websites using your device's Android browser.

Download and install the Trend Micro Mobile Security App via Google Play.

Step 2

Remove unwanted apps on your Android mobile device

[ Learn More ]

Step 3

Scan your computer with your Trend Micro product to delete files detected as ANDROIDOS_PLANKTON.D. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.

Related Malware