Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Android IRC Bot - This Ain't Your Granny's Android Malware (Or Maybe It Is)

As I'm sure many of you know, the rise of mobile-based malware has been on the rise for some time now. We've been steadily seeing this criminal space mature in the same way that malware on the Windows platform did in years past. A new milestone for mobile malware was recently discovered in the wild by Denis Maslennikov of Kaspersky Labs-- IRC bot control.


The specific malware was discovered to pose as a Madden NFL 2012 video game, and unfortunately, it is unclear where this specific sample was being hosted from. The VirusTotal results for the sample referred to can be found at VirusTotal. As we can see, there is currently very little detection in place for this amongst the anti-virus vendors (11/43). Of these detections, the majority of them appear to identify the Foncy SMS trojan component of the malware (detailed further below). In a simple experiment to test if detection would still occur in the event that the Foncy component was removed, it was discovered that a slightly smaller number of anti-virus vendors were still able to detect this 'variant'. The results can be seen at VirusTotal (8/43). A quick kudos to the anti-virus vendors that still detect this malware even with the SMS trojan functionality removed.

Inspection of the malware's AndroidManifest.xml (seen below) reveals certain characteristics which should stick out to even the untrained eye. The appearance of '.AndroidBotActivity' and '' certainly sticks out in my mind, that perhaps this program isn't what it seems to be.


Once the APK is decompiled, we can see that overall there is very little functionality initially.


The malware begins by creating the '/data/data/' directory and changing its permissions to 777 (read, write, execute for owner, group, other). It then takes three embedded files, named header01.png, footer01.png, and border01.png to the previously created directory. The malware then attempts to change the permissions of header01.png to 777, and proceeds to run this file. Finally, it displays the text of '(0x14) Error - Not registered application.' to the screen (note the typo).

It's clear that the bulk of the 'good stuff' appears to be contained in these png files that get extracted from the APK. Inspection of these files shows that these files are not png files, but in fact one APK file and two ARM executables.


As header01.png is the file which is actually executed by the main APK, let's dig into this further. A snippet of the decompiled code can be seen below.


This ARM executable appears to be a root exploit targeting Android devices. A quick Google search returns that in fact, a slightly modified version of this code is being utilized: Additionally, a nice writeup about this specific root exploit can be found at for those interested in the inner-workings of Android root exploits.

The largest change appears to have been made in the do_root() function. In the original code base, the 'sh' command is provided with root privileges. However, in the modified version, the 'bot', or '/data/data/' file is given these privileges. Additionally, an additional execlp command has been included in order to execute this file. This leads us to begin inspecting the footer01.png file, which as we remember, was copied initially by the malware to the victim.

Similar to header01.png, the footer01.png file is also an ARM executable. Inspection of this executable reveals that this program is responsible for interacting with a remote IRC server. Decompiling the main() function paint a decent picture of what is taking place.


The executable begins by setting a '1' value in the /data/data/ file, thus preventing the header01.png (root exploit) from attempting to exploit an already exploited device. the executable then dies in the event that it is not running as root. Following this, '/etc/sent' is deleted. In the event that the previous step is successful, the IRC bot attempts to change the permissions of the border01.png file in order to provide it with root permissions. This border01.png file is then installed using the 'pm' command, and started in the background using the 'am' command. Finally, the value of '1' is written to /etc/sent, and the IRC botnet activity is initialized.

The IRC botnet attempts to make a connection to 199.68.x.x over port 7778. It joins the #andros channel using a random username. Once connected to the IRC server, the device has the ability to receive commands from the botmaster and return the results. Now for most authors, this functionality would be enough. But remember that border01.png file? Since that's the last file we saw extracted in the beginning, this should be the final piece of this malware puzzle (I hope).

Unlike the previous two extracted files, border01.png is an Android APK file. Inspection of this file reveals that it is a variant of the Foncy family of SMS Trojans. The Foncy family was originally discovered back in November of 2011. It's primary responsibility was sending SMS messages to a series of premium-rate numbers, based on the country the victim was located in. Additionally, the Foncy family of SMS trojans have the ability to block SMS messages received from these premium-rate numbers, in order to hide its activity from the victim. The list of targeted countries and their respective premium-rate number can be found below:

  • Belgium - 3075
  • Switzerland - 543
  • Luxembourg - 64747
  • Canada - 60999
  • Germany - 63000
  • Spain - 35024
  • Great Britain - 60999
  • Morocco - 2052
  • Sierra Leone - 7604
  • Romania - 1339
  • Norway - 2227
  • Sweden - 72225
  • United States - 23333
  • France - 81083

This specific variant adds a third component of intercepting SMS messages and ex-filtrating them to a remote web server located at 46.166.x.x. The following format is utilized for ex-filtration:

  • http://46.166.x.x/?=<SMS_Number>///<SMS_Body>

So just to recap, at this rate the attacker has executed a root exploit, which is used to provide root access to an IRC bot as well as a SMS Trojan. The attacker receives all SMS messages sent to the victim, reaps the rewards of having dialed multiple premium numbers, and also has the ability to control all compromised machines via IRC. And that folks, is Game Over.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More