Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips
Android Trojan Phantom Plugin

It’ll be great to log-in to two of your Facebook or WhatsApp accounts simultaneously on one mobile device. A framework, called DroidPlugin, just enabled that by allowing an app to load other apps without any user interference. Despite its good intention, this framework recently has been abused to create a Trojan, called “PluginPhantom”.


  • PluginPhantom does not exploit any weaknesses in Android OS, such as root exploit, although it has the capability to do so. Currently, it simply asks for a bunch of permissions from users. It then abuses these permissions in order to perform malicious actions with its Command and Control (C&C) server.
  • PluginPhantom accesses a user’s contacts, camera, location, audio, wifi, keyboard and file system. It includes functions to record photos and audio, capture the user’s keystrokes and intercept SMSes. All these malicious functions are located in hidden APK files.
  • The most interesting characteristic of PluginPhantom is its method of secretly loading malicious APK files using the DroidPlugin framework. DroidPlugin is an open-source legitimate framework for loading external codes dynamically which is sometimes used to load two instances of the same app (such as two Facebook instances) on a single device, so that users can log-in to two different accounts. But loading codes dynamically itself is a risky behavior that PluginPhantom leverages by abusing the DroidPlugin framework as a new alternative to loading DEX or JAR files.
  • Appthority’s dynamic engines can detect PluginPhantom but have not detected infections of trojanized apps on our customers’ devices.


  • PluginPhantom is not widespread nor has it caused serious damage. However, its new method of dynamic code loading is something that security researchers should be aware of.
  • With a ‘malware detected’ policy in place, Appthority customers can detect any apps in their environment with the PluginPhantom trojan. Additionally, instructions for finding apps using the DroidPlugin framework are posted in the Appthority Support Knowledge Base here.
  • For all enterprises, Appthority recommends a strong device policy preventing apps from untrusted sources being downloaded to corporate mobile devices. Untrusted sources include 3rd party app stores, sideloaded apps, and apps that are not installed by corporate approved app stores (e.g, Google Play or Google Play for Work).
  • End users should avoid using apps that ask for extensive permissions and be suspicious of downloading any apps that lack justification for permission requests in the Privacy Policy or End User License Agreement (EULA).


Image Credit: ThreatPost