Researchers at Palo Alto Network’s Unit 42 threat intelligence team spotted a new Google Android trojan named “PluginPhantom” which leverages the Android DroidPlugin technology to steal user information.
DroidPlugin allows an app to dynamically launch any app as a plugin without installing it in the system. PluginPhantom exploits this feature by implementing each element of malicious functionality as a plugin and utilizing a host app to control the plugins.
PluginPhantom is capable of taking pictures, capturing screenshots, recording audio, intercepting and sending SMS messages through file, location contact, camera, radio, and Wi-Fi as well as logging keyboard input by the Android accessibility service, acting as a keylogger.
This is a new class of Google Android Trojan, as it is the first to abuse Android “DroidPlugin” technology to enable updating and to evade static detection.
PluginPhantom implements malicious functionality as plugins that are loaded by the controlling host app.