PluginPhantom is an Android banking Trojan discovered by Palo Alto Networks in November 2016 and believed to be the successor to the Trojan “Android.Trojan.Ihide.” The Trojan utilizes the “DroidPlugin” framework to infect users’ devices and steal files, location data, contacts, WiFi information, and can log keystrokes, take pictures, capture screenshots, record audio, and intercept and send SMS messages. PluginPhantom uses updating to evade static detection by leveraging Android plugin technology. The malware uses “DroidPlugin” which allows an app to dynamically launch any app as a plugin without installing it to the system. PluginPhantom implements its malicious functionality as a plugin and utilizes a host app to control the plugins, allowing the malware to update is modules without reinstalling apps. The PluginPhantom Trojan exploits nine plugins: Online, Task, Update, File, Location, Contact, Camera, Radio, and Wifi.

Technical Details

  • Technical Details are provided by Palo Alto Networks and can be found here.

One example of the PluginPhantom variant. Image Source: Palo Alto Networks