Android IRC Bot - This Ain't Your Granny's Android Malware (Or Maybe It Is)

As I'm sure many of you know, the rise of mobile-based malware has been on the rise for some time now. We've been steadily seeing this criminal space mature in the same way that malware on the Windows platform did in years past. A new milestone for mobile malware was recently discovered in the wild by Denis Maslennikov of Kaspersky Labs-- IRC bot control.

Screen shot 2012-01-17 at 12.29.45 PM

The specific malware was discovered to pose as a Madden NFL 2012 video game, and unfortunately, it is unclear where this specific sample was being hosted from. The VirusTotal results for the sample referred to can be found at VirusTotal. As we can see, there is currently very little detection in place for this amongst the anti-virus vendors (11/43). Of these detections, the majority of them appear to identify the Foncy SMS trojan component of the malware (detailed further below). In a simple experiment to test if detection would still occur in the event that the Foncy component was removed, it was discovered that a slightly smaller number of anti-virus vendors were still able to detect this 'variant'. The results can be seen at VirusTotal (8/43). A quick kudos to the anti-virus vendors that still detect this malware even with the SMS trojan functionality removed.

Inspection of the malware's AndroidManifest.xml (seen below) reveals certain characteristics which should stick out to even the untrained eye. The appearance of '.AndroidBotActivity' and 'com.android.bot' certainly sticks out in my mind, that perhaps this program isn't what it seems to be.

Screen shot 2012-01-17 at 12.49.05 PM

Once the APK is decompiled, we can see that overall there is very little functionality initially.

Screen shot 2012-01-17 at 12.24.13 PM

The malware begins by creating the '/data/data/com.android.bot/files' directory and changing its permissions to 777 (read, write, execute for owner, group, other). It then takes three embedded files, named header01.png, footer01.png, and border01.png to the previously created directory. The malware then attempts to change the permissions of header01.png to 777, and proceeds to run this file. Finally, it displays the text of '(0x14) Error - Not registered application.' to the screen (note the typo).

It's clear that the bulk of the 'good stuff' appears to be contained in these png files that get extracted from the APK. Inspection of these files shows that these files are not png files, but in fact one APK file and two ARM executables.

Screen shot 2012-01-17 at 3.18.23 PM

As header01.png is the file which is actually executed by the main APK, let's dig into this further. A snippet of the decompiled code can be seen below.

Screen shot 2012-01-17 at 2.48.12 PM

This ARM executable appears to be a root exploit targeting Android devices. A quick Google search returns that in fact, a slightly modified version of this code is being utilized: http://c-skills.blogspot.com/2011/04/yummy-yummy-gingerbreak.html. Additionally, a nice writeup about this specific root exploit can be found at http://xorl.wordpress.com/2011/04/28/android-vold-mpartminors-signedness-issue/ for those interested in the inner-workings of Android root exploits.

The largest change appears to have been made in the do_root() function. In the original code base, the 'sh' command is provided with root privileges. However, in the modified version, the 'bot', or '/data/data/com.android.bo/files/footer01.png' file is given these privileges. Additionally, an additional execlp command has been included in order to execute this file. This leads us to begin inspecting the footer01.png file, which as we remember, was copied initially by the malware to the victim.

Similar to header01.png, the footer01.png file is also an ARM executable. Inspection of this executable reveals that this program is responsible for interacting with a remote IRC server. Decompiling the main() function paint a decent picture of what is taking place.

Screen shot 2012-01-17 at 1.10.01 PM2

The executable begins by setting a '1' value in the /data/data/com.android.bot/files/rooted file, thus preventing the header01.png (root exploit) from attempting to exploit an already exploited device. the executable then dies in the event that it is not running as root. Following this, '/etc/sent' is deleted. In the event that the previous step is successful, the IRC bot attempts to change the permissions of the border01.png file in order to provide it with root permissions. This border01.png file is then installed using the 'pm' command, and started in the background using the 'am' command. Finally, the value of '1' is written to /etc/sent, and the IRC botnet activity is initialized.

The IRC botnet attempts to make a connection to 199.68.x.x over port 7778. It joins the #andros channel using a random username. Once connected to the IRC server, the device has the ability to receive commands from the botmaster and return the results. Now for most authors, this functionality would be enough. But remember that border01.png file? Since that's the last file we saw extracted in the beginning, this should be the final piece of this malware puzzle (I hope).

Unlike the previous two extracted files, border01.png is an Android APK file. Inspection of this file reveals that it is a variant of the Foncy family of SMS Trojans. The Foncy family was originally discovered back in November of 2011. It's primary responsibility was sending SMS messages to a series of premium-rate numbers, based on the country the victim was located in. Additionally, the Foncy family of SMS trojans have the ability to block SMS messages received from these premium-rate numbers, in order to hide its activity from the victim. The list of targeted countries and their respective premium-rate number can be found below:

  • Belgium - 3075
  • Switzerland - 543
  • Luxembourg - 64747
  • Canada - 60999
  • Germany - 63000
  • Spain - 35024
  • Great Britain - 60999
  • Morocco - 2052
  • Sierra Leone - 7604
  • Romania - 1339
  • Norway - 2227
  • Sweden - 72225
  • United States - 23333
  • France - 81083

This specific variant adds a third component of intercepting SMS messages and ex-filtrating them to a remote web server located at 46.166.x.x. The following format is utilized for ex-filtration:

  • http://46.166.x.x/?=<SMS_Number>///<SMS_Body>

So just to recap, at this rate the attacker has executed a root exploit, which is used to provide root access to an IRC bot as well as a SMS Trojan. The attacker receives all SMS messages sent to the victim, reaps the rewards of having dialed multiple premium numbers, and also has the ability to control all compromised machines via IRC. And that folks, is Game Over.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.