Infected Angry Birds apps discovered on Google Android Market

According to Xuxian Jiang, an associate professor in computer science with North Carolina State University, he identified a new infection – which he called Plankton – infecting bonus versions of Angry Birds.

After blogging about the problem early last week, and notifying Google about the issue, Jiang reports that the infected apps were pulled without warning from the Android Market.

Jiang's observations were picked up by Webroot's Andrew Brandt, who said that Plankton code appears in a number of applications that were all focused on the popular game series Angry Birds.

"Some of the samples we looked at came as Android apps with names like Angry Birds Rio Unlocker v1.0, Angry Birds Multi User v1.00 or Angry Birds Cheater Trainer Helper V2.0", he said in a security blog posting, adding the malware appears to offer to unlock access to the higher levels of the popular Rovio software.

None of the programs, he says, function as advertised. Instead, the malicious apps install additional code into the Android device into which they’re installed.

These additional functions, he adds, provide remote access and control of the Android device to, presumably, the distributor of the malicious apps, whose identity remains unknown at this time.

"Unlike several recently-discovered malicious apps, these Android Trojans don't invoke various exploits on the Android device in order to obtain root, or administrative, access to the operating system", he said

"Instead, the remote commands simply give an unknown criminal access to what some may consider sensitive data on the phone, including the browser history, bookmarks, and homepage settings in the built-in Android browser", he added.

And here's where it gets interesting, as the Webroot security researcher says that Plankton behaves like a botnet, since it seems to contact command-and-control server, which sends back instructions for the app to download an additional Java .JAR file.

The app, he reports, pulls down the .JAR file and installs it quietly in the background.

Brandt and his team are currently analyzing how the additional Java file functions and plan to report on its functionality in the next few days.

What’s hot on Infosecurity Magazine?