We've seen our fair share of Android malware hit the scene, but the guys over at Kaspersky Labs have stumbled upon something rather alarming: the first IRC bot for Android. For those unaware, an IRC bot is a tool that provides automated function inside of an IRC channel. While very useful in many scenarios, IRC bots are also often used for malicious intent, such as the case at hand. It's worth noting here that, with the way this attack works, remote commands could be sent via any medium - SMS, webserver, etc. The attacker has just chosen IRC as the platform for this exploit.

Once installed, the malware (ironically) disguises itself as Madden NFL 12 - a seemingly trustworthy app. Unlike this guise may suggest, though, the application actually consists of three malicious components: a root exploit (using Gingerbreak - more on why that's important in a bit), an SMS Trojan, and the IRC bot. The files are extracted and stored in /data/data/com.android.bot/files as "header01.png," "footer01.png," and "border01.png" respectively. The directory is then given read/write/executable permissions.

The root exploit (header01.png) is first executed in order to give the device root access - a requisite for the SMS Trojan and IRC bot to function. Fortunately, the root method used - Gingerbreak - has been patched for quite sometime now so most devices are left unaffected by the root attempt. With that said, there are still some devices susceptible to Gingerbreak (remember, we're talking on a global level here, no just U.S.), so this vulnerability is still very much a threat. If the device in question is already rooted when the exploit attempts to run, it will request Super User access, thus prompting the user. If this request is denied (as it should be), then the application attempts to run anyway - a move that makes little sense, as the app won't be able to progress any further.

In a scenario where the device in question is successfully rooted by the malware, though, it will then execute the second file: the SMS Trojan (footer01.png). Once executed, the Trojan discovers the device's country and send SMS message to an applicable premium rate number (read: it charges money). All returned requests from said premium rate number are then blocked, so the phone's owner is completely oblivious to what is going on.

After that, the IRC bot connects to a remote IRC server (which happens to be down at the moment, suggesting it may already be dead) with a random nickname. From there it can receive and execute any shell command, basically giving the attacker control of the whole system.

Fortunately, if you stick with the key app outlets - the Android Market, Amazon Appstore, and Getjar - you should be good to go, as this type of malware is generally found in shady third-party markets and on sites that provide pirated applications.

While this particular exploit may already be dead-in-the-water, it clearly shows that Android malware is evolving, becoming more complex, and, most of all, more sneaky.

For more information included detailed analysis and code snippets, check out Kaspersky's Secure List blog