Android.Plankton in virus library:

Programs detected as Android.Plankton contain the SDK code (Software Development Kit) of one advertising network used to monetize Android applications. These programs can gather various device-related information (for example, phone number and IMEI) and send it to a remote server. Moreover, they can add bookmarks in a browser and change its start page, create shortcuts on the Home Screen, download and install additional programs, and so on.

An advertising module is implemented as a service that launches once an original application is run. Once the service is active, confidential information is gathered and sent to the server. The server issues commands based on this information. In particular, the module can receive an URL to download and install APKs that look as follows: plankton_v[package.version].jar (for example, plankton_v0.0.3.jar and plankton_v0.0.4.jar). These applications, which are also detected as Android.Plankton, serve the purpose of executing commands received from the command and control server. The packages launch using the DexClassLoader method that allows dynamic load of programs into the RAM without an appropriate prompt being displayed.

Later modifications of the SDK cannot download additional program packages and do not have some other features. However, they are still unwanted for the majority of users and, therefore, these later modifications are detected not as malware but as adware applications under the name of Adware.Startapp.