Researchers at Palo Alto Network's Unit 42 threat intelligence team spotted a new Google Android trojan named “PluginPhantom” which is capable of leveraging Android's DroidPlugin technology to steal user information.
DroidPlugin allows an app to dynamically launch any app as a plugin without installing them in the system and PluginPhantom exploits this feature by implementing each element of malicious functionality as a plugin and utilizing a host app to control the plugins, according to a Nov. 30 blog post.
PluginPhantom is capable of taking pictures, capturing screenshots, recording audios, intercepting and sending SMS messages through file, location contact, camera, radio, and Wi-Fi plugins.The trojan is also capable of stealing location data, contacts and Wi-Fi information as well as logging keyboard input by the Android accessibility service, acting as a keylogger.
PluginPhantom is a new class of Google Android Trojan as it is the first to abuse Android “DroidPlugin” technology to enable updating and to evade static detection a Palo Alto Networks Unit 42 Intelligence Director Ryan Olson told SC Media.
“PluginPhantom implements malicious functionality as plugins that are loaded by the controlling host app,” Olson said. “Abusing plugin technology gives malware authors more flexibility: they can update malicious modules without reinstalling apps enabling them to refine and improve their malware on the device.”
He went on to say that it also enables the malware to evade static detection by hiding malicious behaviors in plugins that are later loaded. The trojan doesn't exploit any particular vulnerabilities as the victim has to install the host app which once installed, will download the malicious plugins as needed.
Olson said others will likely adopt this technique for malware in the future given the advantages this technique affords hackers.