This was one of the recent doubts from our readers, from Jyoti Arora:
Virus in my tab! Android:Plangton-A [PUP] Anyone know anything about this?
The app in which it was found was downloaded from Getjar, and the virus appeared only after a recent update
Something of the similar kind was discussed way back in mid-2011 but it hasn’t disappeared. The GetJar market is to blame here, although not the entire market but a few applications are attacked with the virus and it keeps getting spread. One couldn’t rely on the Google Android Market or the GetJar market to see the apps clean and free of viruses, and that’s the reason why we suggest people to have Android Antivirus apps installed and schedule regular scans to keep the entire device safe, as the viruses can get the entire system of its corrupted.
When this happened earlier, there were apps which got downloaded more than 100,000 times, and these popular apps were the ones which were affected with the Plankton framework. The Android market removed those apps later on, after receiving reports that they were infected with the malware, but Getjar still has the apps available and users aren’t aware of it until they realize the stuff happening and check it through the antivirus.
There are a few apps which were alleged to have the so-called Chopcheec platform and one of the developers had reported the following apps for having the same:
- Gun Bros Cheat Unlock All Purchases
- Shake To Fake call
- Favorite Games Backup
- Angry Birds Rio Unlocker
- Angry Birds Multiuser
- Angry Birds Cheater Trainer helper
- Time limit kids users bring me back my Droid
- Chit Chat Robo Chat Bathroom Time Chat
We will have a recheck on the apps which might still be affected, but there is nothing to worry if you are still downloading the above applications through the Google Play store.
This is what the logs show after the affected apps are downloaded and used:
Android/Adrd.A (6), Android/Adware.AirPush.A (2), Android/Adware.AirPush.B, Android/Adware.BatteryDoctor.C, Android/Anserver.B, Android/BaseBridge.D, Android/BaseBridge.E, Android/BaseBridge.F, Android/BaseBridge.K, Android/BaseBridge.L (4), Android/BaseBridge.M, Android/BaseBridge.N (2), Android/DrdDream.A (6), Android/DroidKungFu.F (2), Android/DroidKungFu.G (97), Android/DroidKungFu.H (4), Android/DroidKungFu.I (14), Android/DroidKungFu.K (7), Android/DroidKungFu.M (4), Android/DroidKungFu.O (3), Android/Exploit.Lotoor.AY, Android/Exploit.Lotoor.AZ, Android/Exploit.Lotoor.BA, Android/Exploit.Lotoor.BB, Android/Exploit.Lotoor.BC, Android/Exploit.Lotoor.BD, Android/Exploit.Lotoor.BE, Android/Exploit.Lotoor.BF, Android/Exploit.Lotoor.BG, Android/Exploit.Lotoor.BH, Android/Exploit.Lotoor.BI, Android/FakePlayer.A, Android/FakeUpdates.A (3), Android/Gappusin.A, Android/GinMaster.C, Android/JSmsHider.A (2), Android/JSmsHider.B (5), Android/JSmsHider.C, Android/Kmin.C (19), Android/Lightdd.C (4), Android/Lightdd.D (25), Android/Lovetrap.C (2), Android/PJApps.C, Android/PJApps.D (20), Android/PJApps.E (4), Android/Plankton.A, Android/Plankton.D (2), Android/Plankton.H, Android/Spy.Geinimi.D (3), Android/Spy.Geinimi.E (42), Android/Spy.Geinimi.F (3), Android/Spy.GoldDream.A (5), Android/Spy.GoldDream.C (5), Android/Spy.GPSpy.A (2), Android/Spy.ImLog.B (2), Android/Spy.ImLog.C, Android/Spy.NickiSpy.C, Android/Spy.SpyBubble.C, Android/Spy.Typstu.A (16), Android/Spy.Typstu.B, Android/TrojanSMS.Agent.A (5), Android/TrojanSMS.Agent.AB (6), Android/TrojanSMS.Agent.AC (6), Android/TrojanSMS.Agent.AK (2), Android/TrojanSMS.Agent.AP (2), Android/TrojanSMS.Agent.AZ (5), Android/TrojanSMS.Agent.BR (14), Android/TrojanSMS.Agent.G (3), Android/TrojanSMS.Agent.J (5), Android/TrojanSMS.Agent.S (7), Android/TrojanSMS.Agent.T (15), Android/TrojanSMS.Agent.Y (8), Android/TrojanSMS.Boxer.AB (6), Android/TrojanSMS.Boxer.AC, Android/TrojanSMS.Boxer.AD (2), Android/TrojanSMS.Boxer.AE (3), Android/TrojanSMS.Boxer.AL, Android/TrojanSMS.Denofow.C, Android/TrojanSMS.FakeInst.J (2), Android/TrojanSMS.FakeInst.K (3), Android/TrojanSMS.FakeInst.N (2), Android/TrojanSMS.Foncy.B, Android/TrojanSMS.Placms.B, Android/TrojanSMS.SeaWeth.A, Android/TrojanSMS.YZHC.C (4), Android/Zsone.A (3), INF/Autorun, JS/Iframe.CF, JS/Kryptik.KE,
The attack is not on any particular device or version of OS, but directly the apps are affected and the malware doesn’t leave the other apps.
My phone is affected, how do I remove this Plankton virus?
Removal of the virus is the first thing you do, but just like a tumor in the body, the virus removal is not guaranteed with the antivirus. You would need to remove the entire application, and check for the viruses in the entire file directory of yours. If there is something fishy that you still find, the only way you can proceed is re-installation of the operating system.
The two things you need to do is delete the application along with the app data and memory of the app.
Once the OS is reinstalled, you can check for the Plankton virus or search directly for any activity from the Plankton framework in the activity logs of the system, and that would help you confirm whether there are still any traces of the trojan in the system or it has been totally removed. The simple way of doing that is “Factory Data Reset” which you could do from the security settings section.
Tip: Most of the apps that are available in the GetJar are the ones which the Play Store also provides, and we trust the Play Store more than the store by GetJar (not to blame the GetJar guys for this) because when reported, Google is quick enough to remove the problem creating apps and this could help others with the security. Although its ‘just’ a mobile operating system, we suggest you to have an antivirus to enhance the security.