PluginPhantom Android Trojan Runs On DroidPlugin framework

Security researchers at Palo Alto Networks alerting of new android malware which allow attacker to have sensitive information such as files, contacts, call logs and even the location of users. This is not all because PluginPhantom allows to take photos on infected systems.

PluginPhantom is distributed using DroidPlugin a legitimate framework created by Chinese company Qihoo 360. DroidPlugin is an innovative application-level virtualization/proxy framework that will run applications without installing any app but it will run the apk malware on local system without installation, modification or repackage. This mean by using DroidPlugin you will run all apps including PluginPhantom.


Plugin Architecture of PluginPhantom

The APK file include nine plugins embedded 3 of them are required for functionality to run tasks, updates and remaining six will perform the malicious actions previously described.  This malware can be updated or modified by developers easily and at any moment and all infected system will receive the update without reinstalling the malware.

According to Palo Alto Networks “The plugin technology might be a replacement of the repackage technique in the future. The plugin malware only needs to launch the original app as one plugin, and later launch malicious modules as other plugins. Even though the PluginPhantom is the first malware using the legitimate DroidPlugin framework, we will continue to watch and report this threat as attackers may use other plugin frameworks and launch more attacks. “

Notify of
Inline Feedbacks
View all comments