{
	"id": "2c506bcd-4904-4755-8da1-386495437e00",
	"created_at": "2026-04-06T00:10:02.635018Z",
	"updated_at": "2026-04-10T13:11:20.819144Z",
	"deleted_at": null,
	"sha1_hash": "2afcb3a617934dcbc2d4c0c2f7de67c48bf26bd8",
	"title": "PluginPhantom: New Android Trojan Abuses “DroidPlugin” Framework",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 471915,
	"plain_text": "PluginPhantom: New Android Trojan Abuses “DroidPlugin”\r\nFramework\r\nBy Cong Zheng, Tongbo Luo\r\nPublished: 2016-11-30 · Archived: 2026-04-05 13:55:08 UTC\r\nRecently, we discovered a new Google Android Trojan named “PluginPhantom”, which steals many types of user\r\ninformation including: files, location data, contacts and Wi-Fi information. It also takes pictures, captures\r\nscreenshots, records audios, intercepts and sends SMS messages. In addition, it can log the keyboard input by the\r\nAndroid accessibility service, acting as a keylogger.\r\nPluginPhantom is a new class of Google Android Trojan: it is the first to use updating and to evade static\r\ndetection. It does this by leveraging the Android plugin technology. It abuses the legitimate and popular open\r\nsource framework “DroidPlugin”, which allows an app to dynamically launch any apps as plugins without\r\ninstalling them in the system. PluginPhantom implements each element of malicious functionality as a plugin, and\r\nutilizes a host app to control the plugins. With the new architecture, PluginPhantom achieves more flexibility to\r\nupdate its modules without reinstalling apps. PluginPhantom also gains the ability to evade the static detection by\r\nhiding malicious behaviors in plugins. Since the plugin development pattern is generic and the plugin SDK can be\r\neasily embedded, the plugin architecture could be a trend among Android malware in the future.\r\nEvolution of PluginPhantom\r\nWe believe PluginPhantom is a successor to the Android Trojan “Android.Trojan.Ihide”, which was discovered by\r\nTrustLook in July of 2016, since they share the same certificate and package name. PluginPhantom not only\r\nincludes and improved all malicious functionalities from “Android.Trojan.Ihide”, but also adopts a very\r\ninnovative design architecture. In the new architecture, the original malware app is divided into multiple apps\r\n(plugin apps) and a single app (a host app). The host app embeds all plugin apps in resources, which implement\r\ndifferent functional modules. After victims install the host app, it can directly load and launch plugin apps without\r\ninstalling plugin apps, by abusing the legitimate open source plugin framework – DroidPlugin [2].\r\n1. Introduction of DroidPlugin:\r\nDroidPlugin is an innovative application-level virtualization/proxy framework, which was originally developed\r\nfor purposes of hot patching, reducing the released APK size, and removing the 65535 methods limitation. The\r\npopular application scenario of DroidPlugin is launching multiple instances of apps on the same device (e.g. using\r\nmulti-accounts in social apps). Fundamentally, DroidPlugin is very different from the widely known dynamic code\r\nloading (e.g. loading a dex or jar file), since it can directly load and launch an app from its APK file without\r\ninstallation. There are five basic concepts or mechanisms in the implementation of DroidPlugin:\r\nShared UID. All plugin apps share the same UID with the host app.\r\nPre-defined stub components and permissions. The host app has pre-defined components and\r\npermissions for plugin apps.\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 1 of 7\n\nDynamic Proxy Hook. The host app has hooked API invocations of plugin apps by the dynamic proxy\r\ntechnique, so that the Android system thinks that all API requests and components are from the host app.\r\nResource loading. As the plugin app is not installed in the system, so the host app must take over the\r\nprocess of loading app resources in the plugin app process.\r\nComponent Lifecycle Management. When the component in the plugin process is ready to be destroyed,\r\nthe corresponding stub component should also be destroyed simultaneously.\r\n2. Plugin Design of PluginPhantom:\r\nIn the plugin design architecture, PluginPhantom has one host app (i.e. the malicious APK we captured) and nine\r\nplugin apps that are embedded in the host app as assets files.  In these nine plugins, there exists 3 core plugins\r\n(“task”, “update” and “online”) and six additional plugins (“file”, “location”, “contact”, “camera”, “radio” and\r\n“wifi”), shown in Figure 1.\r\nFigure 1 Plugin Architecture of PluginPhantom\r\nThe host app, as the controller and the entry point of PluginPhantom, schedules plugin apps by launching them\r\nand sending commands. In the initialization stage, the host app loads nine APK files in asset files and installs them\r\nas plugins in the DroidPlugin framework. Then, the host app can launch and communicate with plugins the same\r\nway it would with normal Apps installed on Android.\r\nThe online plugin, connects to the command and control (C2) server to upload device information (e.g. the screen\r\nstate, the battery volume and the free RAM size) and retrieve commands to execute. The online plugin firstly\r\nfinishes a “ThrowOut” step to probe the remote server by sending the “UUID” (from\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 2 of 7\n\n“java.util.UUID.randomUUID()”) in a UDP socket.  If the “UUID” is sent successfully, then, the online plugin\r\ncontinues to utilize the WebSocket to pull the command data from the server.\r\nThe task plugin, fetches the command data through the bridge of the host app. According to different command\r\ntypes, the task plugin forwards commands to six additional plugins to launch different attacks. The task plugin\r\nalso uploads stolen data to the remote server through the WebSocket. In addition, the task plugin launches the\r\nupdate plugin to download new plugin APK files and update plugins, if it receives the “update” command type.\r\nOnce the update plugin finishes downloading plugins, the task plugin sends a message to the host app to reload\r\nand relaunch plugins.\r\n3. IPC and Data Sharing in PluginPhantom:\r\nIn the DroidPlugin framework, the host app and all plugin apps share different PIDs, but same UID. Thus, the IPC\r\nbetween the host app and plugin apps or among plugin apps is same as the IPC mechanism in the Android system.\r\nThe IPC in PluginPhantom includes the Intent and AIDL. The host app can launch all plugin apps by starting the\r\nentry service of plugin apps with an Intent. In particular, to keep plugin services alive, the host app uses the alarm\r\nmanager to restart the entry service of plugin apps in an interval. In addition, AIDL is used for IPC between the\r\nhost app and plugin apps.  For example, “AbsAidl” is used by the task plugin to send commands to the host app\r\nfor hooking keyboard inputs. The update plugin uses “ClientAidl”, “InfoAidl” and “PluginAidl” to synchronize\r\nthe updated plugin information with the host app.\r\nEven though the Intent and AIDL can share parts of data, PluginPhantom mainly uses the Content Provider and\r\nthe file system to share data between the task plugin and six additional plugins. For example, the radio plugin gets\r\ncommands from the task plugin by the URI “content://***.task.cntPrv/Command”, and stores the command\r\nresponse and recorded audio file paths into the URI “content://***.task.cntPrv/CmdRespond” and\r\n“content://***.task.cntPrv/CmdRespondFile” respectively.  Later, the task plugin parses last two content\r\nproviders, and then reads and uploads recorded audio files from the external storage path\r\n“/sdcard/AndroidMedia/.audio/record”.\r\nStealing Information through Plugins\r\n1. File Plugin\r\nThe file plugin scans a specific directory and retrieves information (e.g. file name, file type, file size, create time,\r\nedit time, file path, canonical path and read state), from the files inside it. It also scans media files in the external\r\nstorage and can download and delete specific files.  During the file operation, the root privilege is used by the file\r\nplugin if necessary. In existing samples, PluginPhantom is trying to use the root privilege, but does not root the\r\ndevice. If the attacker wanted root access on the device, they could use the C2 channel to install an APK which\r\nexploits an unpatched local root vulnerability, but we have not yet observed this occur with PluginPhantom\r\ninfections.\r\n2. Location Plugin\r\nThe location plugin obtains both fine-grained and coarse-grained location information. It converts coordinates in\r\nthe Android default geographic coordinate system to coordinates in two other coordinate systems, which are used\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 3 of 7\n\nby Baidu Maps and Amap Maps, the top two navigation apps in China.  To successfully obtain the location, the\r\nplugin can enable WIFI, GPS (under Android 4.4) and mobile data (under or in Android 5.0) options.\r\n3. Contact Plugin\r\nThe contact plugin intercepts incoming SMS and phone calls for specific numbers received from the remote\r\nserver. To avoid detection, it turns off the ringtone and phone screen and deletes call logs when SMS and phone\r\ncalls are coming in. The contact plugin also steals call logs, device IDs and contacts info (including deleted\r\ncontacts) in both the phone contact list and the SIM card contact list. Additionally, it sends SMS messages to\r\nspecific numbers, which is finished after checking the current phone bill balance.\r\n4. Camera Plugin\r\nThe camera plugin takes pictures in the background through either the front or the back camera. It uses a surface\r\nview with 0.1*0.1 size for camera previewing, and a full screen Activity with the transparent theme and no title, so\r\nvictims may be not aware of this behavior. It also takes screen shots by the command “screencap –p” if it has\r\nobtained root privileges on the device.\r\n5. Radio Plugin\r\nThe radio plugin records the audio in the background with two trigger conditions: commands from the remote\r\nserver and incoming/outgoing phone calls. To avoid detection, it doesn’t record audio if other apps are also\r\nrecording.\r\n6. WIFI Plugin\r\nThe WIFI plugin steals WIFI information (e.g. SSID, password, IP address, mac address), software information\r\n(e.g. app name, version, last update time, is system app), running process information (e.g. PID, process name,\r\napp name, app resource path, app data path, timestamp), and trace information (e.g.  browser visiting history and\r\nbookmarks).\r\nStealing Keyboard Inputs through Accessibility in the Host App\r\nIn the host app, a developer defined service named “AutoService” extends the “AccessibilityService” to hook all\r\nGUI events in the system (Figure 2). First it needs to trick users into enabling the accessibility permission to this\r\napp using it’s description shown in Figure 3, which pretends describes a fake “memory cleaning service.”\r\nFigure 2 Accessibility Service for hooking\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 4 of 7\n\nFigure 3 Lure users to enable the accessibility service\r\nThe host app uses the Android Accessibility feature to hook and operate on the specific Activity and package by\r\nreferring the class name and package name, for two purposes:\r\n1. Grant or activate if a GUI dialog asks for authorizations. If the text of a clickable button matches keywords in\r\n“this.b” (Figure 4), or the text of a checkbox matches keywords “Don’t show this again” in “this.c” (Figure 4), the\r\napp will automatically click the button or the checkbox.\r\n2. Record the keyboard inputs for specific apps.  PluginPhantom logs user inputs, such as the text and window id,\r\nfor all leaf nodes in the UI tree (Figure 5). Thus, the victims’ inputs in the EditText element can be logged. Note\r\nthat password inputs cannot be logged. The text of password EditText node is always empty since the password\r\nattribute of this node is true.\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 5 of 7\n\nFigure 4 Matched keywords for clicking\r\nFigure 5 Log the text and window id of the UI node\r\nConclusion\r\nWhile the Android plugin technology is very hot in the Android app development, it also gives a chance to\r\nmalware developers to redesign malware in a more flexible way. Like the PluginPhantom family, malware can\r\neasily update or add modules by updating or installing plugin apps. In terms of evasion, the plugin malware can\r\nhide all malicious behaviors in plugin apps, which can be downloaded and launched to bypass static detection.\r\nAdditionally, the plugin technology might be a replacement of the repackage technique in the future. The plugin\r\nmalware only needs to launch the original app as one plugin, and later launch malicious modules as other plugins.\r\nEven though the PluginPhantom is the first malware using the legitimate DroidPlugin framework, we will\r\ncontinue to watch and report this threat as attackers may use other plugin frameworks and launch more attacks.\r\nCustomers of Palo Alto Networks are protected with our WildFire, URL filtering and IPS services. AutoFocus\r\nusers can identify samples of this malware using the PluginPhantom tag.\r\nAcknowledgments\r\nWe greatly appreciate the help from Zhi Xu, Claud Xiao, Xin Ouyang, Ryan Olson and others from Palo Alto\r\nNetworks in working on the analysis of PluginPhantom family.\r\nSample Hashes\r\n002e568047074093ca43153b806fb29ec60bcf1b3040487f8ec727ace1209316\r\n1f739108dc2a6520ad736249cd8ed0dbc674e59e687337005b3fa3ab52956bb2\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 6 of 7\n\n1fe181823dbab09aee5cc72b83822977c64ec17cdbf739f5e6edf9b2f5697d11\r\n8255149b6d3ffaa029c6302659aec00d17418fefc5cde9572fbf23bb996d9fde\r\n91f7d9663d259b0c57619bbdd73fb763b6567cce0c1ae05542d8f55644e12d20\r\n92b6a68ea66c73d5d05dff7d8d290ea8ba242846b05d6d4e2e477eb662944cac\r\nb642b9de56218696cf5fe7f47aa914bfe3fec22a754d68c03e0e8d130efbb14f\r\nd56f9157d5b9aabd01bc0476c1a5e5e398a90c75efb9da37f0f7fcaf61b896b8\r\ne4977499171b475e8fd450477574b36b8d1bf0af62a5782fb77c702bcf4fb408\r\nC2 Domains and URLs\r\n1519j010g4[.]iok[.]la\r\n58[.]222.39.215:8088/dmrcandroid/ws/httpsData/command\r\nSource: https://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nhttps://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework/"
	],
	"report_names": [
		"unit42-pluginphantom-new-android-trojan-abuses-droidplugin-framework"
	],
	"threat_actors": [],
	"ts_created_at": 1775434202,
	"ts_updated_at": 1775826680,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2afcb3a617934dcbc2d4c0c2f7de67c48bf26bd8.pdf",
		"text": "https://archive.orkl.eu/2afcb3a617934dcbc2d4c0c2f7de67c48bf26bd8.txt",
		"img": "https://archive.orkl.eu/2afcb3a617934dcbc2d4c0c2f7de67c48bf26bd8.jpg"
	}
}