Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

IRC Bot for Android Masquerades as Madden NFL 12

Denis Maslennikov, a mobile security expert from Kaspersky Lab, has discovered what he says is the first IRC bot for Android he has seen.

While he wasn’t able to determine how the file is being propagated, he said that after installation, the malicious Android application disguises itself as “MADDEN NFL 12”, a mobile version of the popular NFL football video game.

Denis Maslennikov, a mobile security expert from Kaspersky Lab, has discovered what he says is the first IRC bot for Android he has seen.

While he wasn’t able to determine how the file is being propagated, he said that after installation, the malicious Android application disguises itself as “MADDEN NFL 12”, a mobile version of the popular NFL football video game.

What’s more interesting, he said, was that the malware is packaged with a root exploit and an SMS Trojan, working in tandem and providing the attacker with full access to an infected Android device.

IRC bot for AndroidAccording to Maslennikov, the malware has a file size over 5MB, and acts by dropping a set of malware components into the system, including a root exploit, SMS Trojan and IRC bot. The .class file “AndroidBotAcitivity” maintains the dropper functionality, he said.

Maslennikov explains the process in detail in his blog post, but the malware creates a directory with full read/write/execute privileges for all users, installs a series of files, and launches the IRC bot, “footer01.png”.

While the IRC bot functionality may be the first he’s seen, it does appear to be a slight modification of previously discovered Android malware, “Foncy SMS Trojan”. “The Trojan hasn’t been modified much,” Maslennikov noted. 

But there is one notable difference between this particular variant of Foncy and others. “This modification will upload all incoming messages from premium rate number to a remote server instead of sending an SMS message to cell phone number,” he explained. The Trojan uses following format to upload data to a server: http://46.166.*.*/?={number}///{message_body}

While the IRC server was not reachable during his research, after the SMS Trjoan is launched on the Android smartphone, the IRC bot attempts to connect to an IRC server on channel “#andros” and using a random nickname. Following a successful connection to the IRC server, the infected device would be able to receive shell commands and execute them on an infected device.

Kaspersky detects the malicious android files as Trojan-Dropper.AndroidOS.Foncy.a, Exploit.Linux.Lotoor.ac, Backdoor.Linux.Foncy.a and Trojan-SMS.AndroidOS.Foncy.a.

In its threat report for the first half of 2011, Damballa said that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. While the figure is nowhere near the numbers of PCs under the control of cyber-criminals, it does represent a significant jump in malware targeting mobile phones, and Android devices in particular. 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...