Evolution of Android Malware: IRCBot Joins the Party

We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was going through our mobile malware collection, I found an interesting piece of malware for Android. This malware acts as an IRC Bot, just as we have seen in Windows malware.

This malware binary is not a repackaged application as we have seen in the past. It masquerades as the game MADDEN NFL 12. The malware has three modules embedded into it: The main component is actually a dropper that drops a set of other components onto the compromised user device.

Figure 1: Android Malware Component

Upon installation, the malicious application drops these three malicious components:

  • Header01.png: Rooting Exploit
  • Footer01.png: IRCBot
  • Border01.png: SMS Trojan


Figure 2: Files in asset folder of the main component

What’s It All About?

The files header01.png and footer01.png masquerade as PNG image files, although they are originally ELF files. Header01.png acts as a rooting exploit; we already discussed this in an earlier blog. The purpose of this component is to root the device and then elevate the device’s privilege. Once the device is rooted, footer01.png connects to a remote IRC channel. The final component, boarder01.png, acts as Trojan that sends SMS messages to premium numbers. The other *.png files in the package are just random image files to thwart hash-based detection. This can be seen in the details of the three components.


Main Dropper Component

The main dropper has a size of more than 5MB. The class file AndroidBotActivity is responsible for dropping the other three malicious components onto the device as well as for setting the highest permission to the directory in which it drops these component files. This Android manifest file gives us a vague idea of what this malware binary is capable of: Their package names and labels have been branded as com.android.bot and AndroidBotActivity.


Figure 3: Android manifest file of the main component

Figure 4: Malicious class file AndroidBotActivity dropper code

The malicious class file creates the directory /data/data/com.android.bot/files and drops the three component files, the root exploit, IRCBot, and SMS Trojan in the folder of the compromised device. It then gives chmod 777 permission to that directory. Each number in chmod represents the permissions given to different users such as owner, group, and others; here the malware binary sets the permission to chmod to 777 to give read, write, and execute permission for all users to this folder.


Figure 5 : Setting file permission to chmod 777

Root Exploit Component

The root exploit component is nothing new, as we have already discussed it in my previous blog. However, the malware authors have slightly modified the code. The root exploit component, in simple terms, roots the device to its highest privilege so that the attacker can gain admin privilege and can execute commands from a remote server. Once the device is rooted, it executes the IRCBot component file header01.png.


Figure 6: Code to execute the IRCBot component

IRCBot Component

This is basically a backdoor Trojan that acts as an IRCBot to connect to a remote server and receive and execute commands.

On analyzing this malware binary further, we find that once the system is rooted it sets a marker “1,” which means the system is already rooted. Thus the malware can skip attempting to exploit a device that is already rooted and also from again executing the file footer01.png.


Figure 7 : IRCBot component silently installs the SMS Trojan component

The malware then connects to the remote IRC server 199.68.<removed> and generates a random user name that is used to log into the remote IRC channel.

The malware joins the IRC channel #andros and waits for commands from the attacker.

Once it starts receiving commands from the remote site, it parses them and performs the actions. We found three commands:

  • PRIVMSG #andros :[SH] – %s.
  • PRIVMSG #andros :[ID] – %d
  • PRIVMSG #andros :[EXIT] – exiting ordered.


SMS Trojan Component

The last component of the package is a regular SMS Trojan that sends SMS messages to premium numbers which charge the victim. This one also masquerade as a PNG image file but was originally an .apk file, an application package for Android. We have seen this type of premium SMS abuser many times in the past.

The difference in this malware binary when compared to others is, first, it retrieves the geo location of the SIM and based on the geo location it sends SMS to premium numbers corresponding to that geo location. This is carried out by the following snippet:


Figure 8: Snippet to get the geo location of the SIM


The Trojan sends SMS messages to the premium numbers if the SIM geo is found to be applicable.


Figure 9: Premium SMS numbers

The Trojan also has code to check the message body and sender of all SMS messages received. If the sender is found to be any of the numbers listed above, the malware aborts that message. This step is carried out by the abortBroadcast(); function.

The Trojan then broadcasts an SMS to a remote server along with the mobile number and the message body.


To sum it up, here is the flow diagram for this Android malware:


Figure 10: Flow diagram

Here’s an example of how dangerous this infection can be: If the victim receives a message from the bank that has a two-way authentication code, that message body–along with the mobile number–will be sent to the remote attacker, who can later compromise bank transactions. This alone tells us how serious this attack can be. However, we don’t know what the attackers do with this data, nor what their server-side code does.

In any case, this is a reminder that malware authors consider the Android platform their favorite mobile attack vector, and are coming up with new infection strategies to compromise users and their data. We expect this trend to continue thanks to the growing smart phone market as well as the continued increase of enterprise use, banking functionality, and other consumer usage.

We detect the main component of this malware as Android/Multi.dr, the root exploit component as Linux/Exploit-Lotoor.a, the IRCBot component as Android/IRCBot.a, and the SMS Trojan as Android/SMS.gen.

Leave a Comment

seventeen + thirteen =