IRC Bot for Android Masquerades as Madden NFL 12

Denis Maslennikov, a mobile security expert from Kaspersky Lab, has discovered what he says is the first IRC bot for Android he has seen.

While he wasn’t able to determine how the file is being propagated, he said that after installation, the malicious Android application disguises itself as “MADDEN NFL 12”, a mobile version of the popular NFL football video game.

What’s more interesting, he said, was that the malware is packaged with a root exploit and an SMS Trojan, working in tandem and providing the attacker with full access to an infected Android device.

According to Maslennikov, the malware has a file size over 5MB, and acts by dropping a set of malware components into the system, including a root exploit, SMS Trojan and IRC bot. The .class file “AndroidBotAcitivity” maintains the dropper functionality, he said.

Maslennikov explains the process in detail in his blog post, but the malware creates a directory with full read/write/execute privileges for all users, installs a series of files, and launches the IRC bot, “footer01.png”.

While the IRC bot functionality may be the first he’s seen, it does appear to be a slight modification of previously discovered Android malware, “Foncy SMS Trojan”. “The Trojan hasn’t been modified much,” Maslennikov noted. 

But there is one notable difference between this particular variant of Foncy and others. “This modification will upload all incoming messages from premium rate number to a remote server instead of sending an SMS message to cell phone number,” he explained. The Trojan uses following format to upload data to a server: http://46.166.*.*/?={number}///{message_body}

While the IRC server was not reachable during his research, after the SMS Trjoan is launched on the Android smartphone, the IRC bot attempts to connect to an IRC server on channel “#andros” and using a random nickname. Following a successful connection to the IRC server, the infected device would be able to receive shell commands and execute them on an infected device.

Kaspersky detects the malicious android files as Trojan-Dropper.AndroidOS.Foncy.a, Exploit.Linux.Lotoor.ac, Backdoor.Linux.Foncy.a and Trojan-SMS.AndroidOS.Foncy.a.

In its threat report for the first half of 2011, Damballa said that the number of Android devices engaging in live communications with a command-and-control server reached nearly 40,000 at one point. While the figure is nowhere near the numbers of PCs under the control of cyber-criminals, it does represent a significant jump in malware targeting mobile phones, and Android devices in particular.