We've seen our fair share of Android malware hit the scene, but the guys over at Kaspersky Labs have stumbled upon something rather alarming: the first IRC bot for Android. For those unaware, an IRC bot is a tool that provides automated function inside of an IRC channel. While very useful in many scenarios, IRC bots are also often used for malicious intent, such as the case at hand. It's worth noting here that, with the way this attack works, remote commands could be sent via any medium - SMS, webserver, etc. The attacker has just chosen IRC as the platform for this exploit.

Once installed, the malware (ironically) disguises itself as Madden NFL 12 - a seemingly trustworthy app. Unlike this guise may suggest, though, the application actually consists of three malicious components: a root exploit (using Gingerbreak - more on why that's important in a bit), an SMS Trojan, and the IRC bot. The files are extracted and stored in /data/data/com.android.bot/files as "header01.png," "footer01.png," and "border01.png" respectively. The directory is then given read/write/executable permissions.

The root exploit (header01.png) is first executed in order to give the device root access - a requisite for the SMS Trojan and IRC bot to function. Fortunately, the root method used - Gingerbreak - has been patched for quite sometime now so most devices are left unaffected by the root attempt. With that said, there are still some devices susceptible to Gingerbreak (remember, we're talking on a global level here, no just U.S.), so this vulnerability is still very much a threat. If the device in question is already rooted when the exploit attempts to run, it will request Super User access, thus prompting the user. If this request is denied (as it should be), then the application attempts to run anyway - a move that makes little sense, as the app won't be able to progress any further.

In a scenario where the device in question is successfully rooted by the malware, though, it will then execute the second file: the SMS Trojan (footer01.png). Once executed, the Trojan discovers the device's country and send SMS message to an applicable premium rate number (read: it charges money). All returned requests from said premium rate number are then blocked, so the phone's owner is completely oblivious to what is going on.

After that, the IRC bot connects to a remote IRC server (which happens to be down at the moment, suggesting it may already be dead) with a random nickname. From there it can receive and execute any shell command, basically giving the attacker control of the whole system.

Fortunately, if you stick with the key app outlets - the Android Market, Amazon Appstore, and Getjar - you should be good to go, as this type of malware is generally found in shady third-party markets and on sites that provide pirated applications.

While this particular exploit may already be dead-in-the-water, it clearly shows that Android malware is evolving, becoming more complex, and, most of all, more sneaky.

For more information included detailed analysis and code snippets, check out Kaspersky's Secure List blog

Cameron Summerson
Cameron is a self-made geek, Android enthusiast, horror movie fanatic, musician, and cyclist. When he's not pounding keys here at AP, you can find him spending time with his wife and kids, plucking away on the 6-string, spinning on the streets, or watching The Texas Chainsaw Massacre on repeat.

  • Blah123

    People already think that Android is a buggy, virus infested mess. We don't need Android blogs fanning the flames when it was said by Chis DiBona himself that these malware claims are pretty baseless and only meant to sell antivirus crap.

    Wait...you were the one who wrote that article up here on AP. What happened there? Did you change your mind?

    Does Kaspersky have something to gain from posting this information about the big bad Android viruses?


    Yes. Yes they do.

    • Cameron Summerson

      It's unbiased coverage. I wrote about what DiBona said without expressing any personal feelings on the matter. The same thing applies here.

      That's why we're here - to let the community know what's going on with Android. We try to remain as objective as possible, and while Kaspersky may have "something to gain" by posting about any form of malware, that doesn't discredit the information. It's not as if they actually made this up - this is a real threat, with real code to back it up.

    • http://www.AndroidPolice.com Artem Russakovskii

      OK, people need to stop blindly repeating what Chris DiBona said and examine each case for what it's worth, without dismissing it with a generalized statement like his was.

      And there's a huge difference between antivirus programs being crap and some Android malware being able to do real damage. No matter what your take is on antivirus software, which indeed is usually pretty useless against new threats until they're discovered and analyzed, if people somehow get apps that auto-root their phones and make them part of a botnet, that's a whole different story.

      We don't know how this specific malware was spreading, and chances are it's not through the Market, but there's no reason it can't happen. 0day exploits for Android pop up from time to time, and I'm sure there are some that haven't been disclosed yet. We don't know whether Google can filter out and detect this or other exploits reliably 100%.

      And putting all of that aside, it's highly interesting from a security standpoint to know that Android malware has evolved to such a degree. At least it was to me.

    • http://droidsamurai.blogspot.com PixelSlave

      Close your eyes and ears, then pretend nothing bad is happening outside is the best strategy to defend the Android ecosystem, huh?

      Seriously, I like to use Android, but I won't make myself a brainless robot that supports it blindly.

      • Justin

        This is one of the reasons I highly support Google in keeping one click root apps off the Market. One of the best ways for them to track malicious apps is to look for exploit code right? I don't know for sure that'd why they do it, but it seems to me that having legit apps with the same code as malicious apps all over the Market would make it much harder to weed the bad ones out.

  • StarBaseONE2

    As slow as manufacturers are to update devices even after the fix is available is a real problem in scenarios like this...
    It sure makes situations like this a bigger threat than it could be otherwise.

    • jcase

      Gingerbreak is long patch, and was quickly patched by most vendors. This malware is really a non issue for most peolpe, however it shows that android malware authors are evolving.

      • http://www.AndroidPolice.com Artem Russakovskii

        There are still plenty of devices out there that don't get patched for various reasons, whether the owner doesn't care/know, the device was abandoned by the manufacturer/carrier, etc.

  • Some dude

    Android malware? Shocker!


    • cosmic

      Malware on pirate sites? Shocker!

      • Deltaechoe

        Malware written for anything that could be considered a computer? Shocker!


  • cosmic

    As long as it sticks to the shady pirate section then I don'd mind terribly. (yes I know it could sneak over to the official market)

  • free earthling

    i swear this is all fear tactics to get people to download antivirus software and give manufacturers a leg to stand on to lock up devices in order to protect consumers....next we will have the government blocking sites on the internet here in the us, like some dictatorship in some undeveloped country....oh wait the are already trying to pass that inton legislation..........S.O.P.A

  • tacomuncher

    I know wat ya mean,i downloaded a "free" anti theft ,virus,malware blah blah

  • Adam

    Some of you impress me. I was not aware the human body could live successfully in this modern world with such small (almost negligible) brains.
    Where in Cameron's article did it suggest to immediately go buy antivirus software? Exactly. Would you guys prefer that no one ever exposes/writes about possible new threats?
    If you don't like it there is an incredibly simple solution: go away.
    What I took away from the article: a fresh reminder to always check permissions and download from trusted sources. That is all. Now shut up.