Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

IRC Bot for Android Masquerades as Madden NFL 12

Denis Maslennikov, a mobile security expert from Kaspersky Lab, has discovered what he says is the first IRC bot for Android he has seen.

While he wasn’t able to determine how the file is being propagated, he said that after installation, the malicious Android application disguises itself as “MADDEN NFL 12”, a mobile version of the popular NFL football video game.

Denis Maslennikov, a mobile security expert from Kaspersky Lab, has discovered what he says is the first IRC bot for Android he has seen.

While he wasn’t able to determine how the file is being propagated, he said that after installation, the malicious Android application disguises itself as “MADDEN NFL 12”, a mobile version of the popular NFL football video game.

What’s more interesting, he said, was that the malware is packaged with a root exploit and an SMS Trojan, working in tandem and providing the attacker with full access to an infected Android device.

IRC bot for AndroidAccording to Maslennikov, the malware has a file size over 5MB, and acts by dropping a set of malware components into the system, including a root exploit, SMS Trojan and IRC bot. The .class file “AndroidBotAcitivity” maintains the dropper functionality, he said.

Maslennikov explains the process in detail in his blog post, but the malware creates a directory with full read/write/execute privileges for all users, installs a series of files, and launches the IRC bot, “footer01.png”.

While the IRC bot functionality may be the first he’s seen, it does appear to be a slight modification of previously discovered Android malware, “Foncy SMS Trojan”. “The Trojan hasn’t been modified much,” Maslennikov noted. 

But there is one notable difference between this particular variant of Foncy and others. “This modification will upload all incoming messages from premium rate number to a remote server instead of sending an SMS message to cell phone number,” he explained. The Trojan uses following format to upload data to a server: http://46.166.*.*/?={number}///{message_body}

While the IRC server was not reachable during his research, after the SMS Trjoan is launched on the Android smartphone, the IRC bot attempts to connect to an IRC server on channel “#andros” and using a random nickname. Following a successful connection to the IRC server, the infected device would be able to receive shell commands and execute them on an infected device.

Kaspersky detects the malicious android files as Trojan-Dropper.AndroidOS.Foncy.a, Exploit.Linux.Lotoor.ac, Backdoor.Linux.Foncy.a and Trojan-SMS.AndroidOS.Foncy.a.

Advertisement. Scroll to continue reading.

In its threat report for the first half of 2011, Damballa said that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. While the figure is nowhere near the numbers of PCs under the control of cyber-criminals, it does represent a significant jump in malware targeting mobile phones, and Android devices in particular. 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.