June 10, 2011Armando Orozco By Armando Orozco

Android ‘Angry Birds’ Malware Contains Bot-like Code

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Android Trojan "Plankton" Angry Birds Rio Unlocker program iconMost of yesterday, Threat Research Analyst Armando Orozco and I took a closer look at a piece of malware discovered by a university security researcher, Xuxian Jiang of North Carolina State. The malicious code, which the malware creator named Plankton, is embedded into a number of apps that were briefly posted to Google’s Android Market earlier this week, then rapidly pulled down after the researchers informed Google of their initial findings.

The Plankton code appears in a number of applications that were all focused on the popular game series Angry Birds. Some of the samples we looked at came as Android apps with names like Angry Birds Rio Unlocker v1.0, Angry Birds Multi User v1.00 or Angry Birds Cheater Trainer Helper V2.0.

When executed, the program displays the following text on the screen:


Simply click on the button below to unlock ALL levels in Angry Birds Rio. This will not delete your scores but might change the number of pineapples and bananas you have

None of the programs function as advertised. Instead, the malicious apps install additional code into the Android device into which they’re installed. These additional functions provide remote access and control of the Android device to, presumably, the distributor of the malicious apps, whose identity remains unknown at this time.

Welcome!  Simply click on the button below to unlock ALL levels in Angry Birds Rio. This will not delete your scores but might change the number of pineapples and bananas you have

It’s nice that the creators of the Trojan labeled their code so distinctly. We can filter them off an infected device like a whale slurps krill.

Unlike several recently-disovered malicious apps, these Android Trojans don’t invoke various exploits on the Android device in order to obtain root, or administrative, access to the operating system. Instead, the remote commands simply give an unknown criminal access to what some may consider sensitive data on the phone, including the browser history, bookmarks, and homepage settings in the built-in Android browser.

When executed, the app also contacts a command-and-control server, which sends back instructions for the app to download an additional Java .JAR file. The app pulls down the .JAR file and installs it quietly in the background. We’re currently working on an analysis of these payloads; Early reports from the university researchers indicate that the payloads are simply reworked versions of the remote access code embedded in the Trojan, modified so they’re slightly harder to detect using existing antivirus signatures.

As we have following previous disclosures about novel Android malware, such as the recently discovered DroidKungFu, we’re currently protecting Android devices that have our Webroot Mobile app installed from Trojans such as Plankton.

And of course, Android users can protect themselves by using a little common sense when they download apps: Does the app sound like what it promises to do is too good to be true? Does it ask for all kinds of permissions that it shouldn’t need to fulfill its mission? Did you get it from the official Market or a legitimate app store such as Amazon, or from some random app collection? If you can answer yes to any (or all) of these questions, just don’t install the app.  Webroot blog stats

Share Button

16 Responses to Android ‘Angry Birds’ Malware Contains Bot-like Code

  1. Pingback: Google Pulls More Malware-Infected Apps From Android Market | Stop Spam Tips

  2. Pingback: Google removed more malware infected apps from Android Market | What's Under the Sun?

  3. Pingback: Google Pulls More Malware-Infected Apps From Android Market | All about Android posting

  4. Pingback: Google Android Market pulls out more malware-infected apps | Games and Me

  5. Pingback: Google removes malicious Angry Birds apps from Android Market | Games and Me

  6. Pingback: Anonymous

  7. Pingback: Angry Birds Rio Unlocker, apps falsas en la Android Market | Openanimo

  8. Pingback: Plankton – New Malware Detected In Android Market Apps | Pocketdroid

  9. Pingback: Malicious Apps In Android Market « HomeNetection

  10. Pingback: New malware may anger Angry Birds lovers | Simply Security

  11. Pingback: Watch out for malware hidden in Android apps

  12. I think smartphones is next target of hackers and malware developers. One question arise here is how to keep android device safe? I personally suggest to think twice before downloading and installing app from unverified sources like outside of the market.

  13. Pingback: ‘Tis the season for mobile malware « Webroot Threat Blog

  14. Pingback: TYCA Blog: Mobile Security Landscape in 2012 | TYCA Solutions Inc.

Leave a Reply

Your email address will not be published. Required fields are marked *