Remove Android:Plankton [PUP] Virus from Android Device after Downloading Apps from GetJar

Android TrojanThis was one of the recent doubts from our readers, from Jyoti Arora:
Virus in my tab! Android:Plangton-A [PUP] Anyone know anything about this?
The app in which it was found was downloaded from Getjar, and the virus appeared only after a recent update

Something of the similar kind was discussed way back in mid-2011 but it hasn’t disappeared. The GetJar market is to blame here, although not the entire market but a few applications are attacked with the virus and it keeps getting spread. One couldn’t rely on the Google Android Market or the GetJar market to see the apps clean and free of viruses, and that’s the reason why we suggest people to have Android Antivirus apps installed and schedule regular scans to keep the entire device safe, as the viruses can get the entire system of its corrupted.

When this happened earlier, there were apps which got downloaded more than 100,000 times, and these popular apps were the ones which were affected with the Plankton framework. The Android market removed those apps later on, after receiving reports that they were infected with the malware, but Getjar still has the apps available and users aren’t aware of it until they realize the stuff happening and check it through the antivirus.

There are a few apps which were alleged to have the so-called Chopcheec platform and one of the developers had reported the following apps for having the same:

  • Gun Bros Cheat Unlock All Purchases
  • Shake To Fake call
  • Favorite Games Backup
  • Angry Birds Rio Unlocker
  • Angry Birds Multiuser
  • Angry Birds Cheater Trainer helper
  • Time limit kids users bring me back my Droid
  • Chit Chat Robo Chat Bathroom Time Chat

We will have a recheck on the apps which might still be affected, but there is nothing to worry if you are still downloading the above applications through the Google Play store.

This is what the logs show after the affected apps are downloaded and used:

Android/Adrd.A (6), Android/Adware.AirPush.A (2), Android/Adware.AirPush.B, Android/Adware.BatteryDoctor.C, Android/Anserver.B, Android/BaseBridge.D, Android/BaseBridge.E, Android/BaseBridge.F, Android/BaseBridge.K, Android/BaseBridge.L (4), Android/BaseBridge.M, Android/BaseBridge.N (2), Android/DrdDream.A (6), Android/DroidKungFu.F (2), Android/DroidKungFu.G (97), Android/DroidKungFu.H (4), Android/DroidKungFu.I (14), Android/DroidKungFu.K (7), Android/DroidKungFu.M (4), Android/DroidKungFu.O (3), Android/Exploit.Lotoor.AY, Android/Exploit.Lotoor.AZ, Android/Exploit.Lotoor.BA, Android/Exploit.Lotoor.BB, Android/Exploit.Lotoor.BC, Android/Exploit.Lotoor.BD, Android/Exploit.Lotoor.BE, Android/Exploit.Lotoor.BF, Android/Exploit.Lotoor.BG, Android/Exploit.Lotoor.BH, Android/Exploit.Lotoor.BI, Android/FakePlayer.A, Android/FakeUpdates.A (3), Android/Gappusin.A, Android/GinMaster.C, Android/JSmsHider.A (2), Android/JSmsHider.B (5), Android/JSmsHider.C, Android/Kmin.C (19), Android/Lightdd.C (4), Android/Lightdd.D (25), Android/Lovetrap.C (2), Android/PJApps.C, Android/PJApps.D (20), Android/PJApps.E (4), Android/Plankton.A, Android/Plankton.D (2), Android/Plankton.H, Android/Spy.Geinimi.D (3), Android/Spy.Geinimi.E (42), Android/Spy.Geinimi.F (3), Android/Spy.GoldDream.A (5), Android/Spy.GoldDream.C (5), Android/Spy.GPSpy.A (2), Android/Spy.ImLog.B (2), Android/Spy.ImLog.C, Android/Spy.NickiSpy.C, Android/Spy.SpyBubble.C, Android/Spy.Typstu.A (16), Android/Spy.Typstu.B, Android/TrojanSMS.Agent.A (5), Android/TrojanSMS.Agent.AB (6), Android/TrojanSMS.Agent.AC (6), Android/TrojanSMS.Agent.AK (2), Android/TrojanSMS.Agent.AP (2), Android/TrojanSMS.Agent.AZ (5), Android/TrojanSMS.Agent.BR (14), Android/TrojanSMS.Agent.G (3), Android/TrojanSMS.Agent.J (5), Android/TrojanSMS.Agent.S (7), Android/TrojanSMS.Agent.T (15), Android/TrojanSMS.Agent.Y (8), Android/TrojanSMS.Boxer.AB (6), Android/TrojanSMS.Boxer.AC, Android/TrojanSMS.Boxer.AD (2), Android/TrojanSMS.Boxer.AE (3), Android/TrojanSMS.Boxer.AL, Android/TrojanSMS.Denofow.C, Android/TrojanSMS.FakeInst.J (2), Android/TrojanSMS.FakeInst.K (3), Android/TrojanSMS.FakeInst.N (2), Android/TrojanSMS.Foncy.B, Android/TrojanSMS.Placms.B, Android/TrojanSMS.SeaWeth.A, Android/TrojanSMS.YZHC.C (4), Android/Zsone.A (3), INF/Autorun, JS/Iframe.CF, JS/Kryptik.KE,

The attack is not on any particular device or version of OS, but directly the apps are affected and the malware doesn’t leave the other apps.

My phone is affected, how do I remove this Plankton virus?

Step 1:

Removal of the virus is the first thing you do, but just like a tumor in the body, the virus removal is not guaranteed with the antivirus. You would need to remove the entire application, and check for the viruses in the entire file directory of yours. If there is something fishy that you still find, the only way you can proceed is re-installation of the operating system.

The two things you need to do is delete the application along with the app data and memory of the app.

Uninstall app Android  Delete App Data Android

Once the OS is reinstalled, you can check for the Plankton virus or search directly for any activity from the Plankton framework in the activity logs of the system, and that would help you confirm whether there are still any traces of the trojan in the system or it has been totally removed. The simple way of doing that is “Factory Data Reset” which you could do from the security settings section.

Factory Data Reset

Tip: Most of the apps that are available in the GetJar are the ones which the Play Store also provides, and we trust the Play Store more than the store by GetJar (not to blame the GetJar guys for this) because when reported, Google is quick enough to remove the problem creating apps and this could help others with the security. Although its ‘just’ a mobile operating system, we suggest you to have an antivirus to enhance the security.

  • Bob

    Unfortunately the official market itself isn’t safe either. I just ran a NOD32 scan on my computer after and my Titanium Backup was flagged. I looked at the subdirectory and com.AFTDMedia.starwars was infected with a Plankton Variant. After searching around I found that the culprit was:

    https://play.google.com/store/apps/details?id=com.AFTDMedia.starwars1&hl=en

    If NOD32 is correct, and I have little reason to doubt that it isn’t in this instance, then it shows just how lacking the market is in being capable of detecting malicious script within even the most popular games.

  • http://www.jyotiarora.com Jyoti Arora

    Hi,

    Thanks so much for the tips. The app I downloaded is not listed in the list you gave above. It is an app that downloads prayers from the net and plays them, along with some fancy stuff like bells etc. The app is available in the Google Play. i downloaded it from GetJar because that’s where I saw it while browsing.

    • http://www.amitbhawani.com/blog/ Amit Bhawani

      Yes the list of the Apps are just an example and there are numerous apps like those which are available on websites which are not the Google Play Store. Better to always download official apps. Hope your issue is solved though.