Plankton¶
Aggressive adware discovered in June 2011 by Xuxian Jiang at NC State. Found in 10 Angry Birds add-on apps on the Android Market with 210,000+ downloads. Plankton was the first malware to exploit DexClassLoader for dynamic payload extension, downloading JAR files at runtime to evade static analysis. This technique became a standard evasion method for Android malware.
Overview¶
| Property | Value |
|---|---|
| First Seen | June 2011 |
| Type | Spyware / Adware with bot capabilities |
| Attribution | Unknown |
| Aliases | Android.Counterclank (Symantec), Andr/NewyearL-B (Sophos) |
Distribution¶
Found in 10 applications on the official Android Market, all disguised as Angry Birds add-ons and cheat tools. Over 210,000 downloads before removal.
Capabilities¶
| Capability | Implementation |
|---|---|
| Dynamic code loading | First to use DexClassLoader to download JAR files containing classes.dex at runtime |
| Data harvesting | Device ID, permissions, bookmarks, browsing history, runtime logs |
| Permission piggybacking | Used host app's permissions to access device data |
| Payload delivery | C2 could push additional payloads including root exploits |
Significance¶
Plankton's dynamic class loading technique became a foundational evasion method for Android malware. The Counterclank controversy (Symantec classified the related Apperhand SDK as malware, others disagreed) highlighted the blurry line between aggressive adware and malware that persists in the grayware space today.