A Mischievous IRC Bot on Android Comes up, lets attacker full control on your device

• Tweet

• Tweet

Androidpolice has reported some Malicious IRC Bot for the Andorid. There has been many Android malware that hit the scene, however those guys that are at the Kaspersky Labs must have encountered upon some things that are rather very alarming; the initial IRC bot on Android. For folks who are unaware, the IRC bot is an instrument that gives automated function in the inside channel of IRC. These IRC bots are very much useful in various scenarios, and are often used also for some malicious aim, just like the case at the hand. This is worth observing in that having the way the attack works, the remote commands may be sent through any medium -Webserver, SMS, etc. This attacker has basically chosen this IRC as good platform in the exploit.

After it will be installed, this malware pretended itself as the NFL 12Madden – the seemingly to be trusted application. Not like the guise will suggest, although, this app actually composed of the three malicious components; an SMS Trojan, the root exploit (with the use of the Gingerbreak which is much on why that is important in the bit) then this IRC bot. These files are then extracted and also stored on data.datacom. android.bot/files as ‘header 01.png,’ ‘border.png’and‘footer01.1 png,’ respectively. Then the directory will be provided as read/write/executable permissions.

Then this root exploit (a header01.png) was initially executed so that to provide this root access of device -the requisite for this IRC bot and SMS Trojan and just to be able to function. Luckily, this is the root process that was used-Gingerbreak- for the IRC bot and the SMS Trojan in order to function. Luckily, the root method used -Gingerbreak.

This Gingerbreak was rebuild for sometimes now and so these devices were left not affected by this root attempt.  And with that being said, so there are various devices that are responsive to Gingerbreak (just always remember we are talking in the Global level in here, not just the USA) and so this vulnerable position is too much the threat. When this device on question is rooted already if the exploit will attempt to run, this will ask this access in Super User, and this will prompt the user. When the request is considered denied (as this must be) then app will attempt to be able to run in anyway- the move which makes the little sense, and as this application will not have to develop any further more.

At the scenario when the device on question is rooted successfully by a malware, although, this will execute then this second file: this Trojan SMS (footer01.png) After executed, this Trojan will discover the device country and then will send the SMS message into the application’s rate number premium (read; this charges money) Then all the returned requests along mentioned rate number premium were then blocked, and so the owner of the phone is wholly oblivious on the things that are going on.

Just after this, this IRC bot will connect well to its remote server IRC (that as happen to down in this moment, suggesting this may be dead already) having its random nickname. Along there this may execute and receive a shell command, primarily providing the attacker more control of this whole system.

Luckily, when you stick through this key application outlets- this Android Market- getJar and the Amazon App- your must be good for those just on the go, as the type of a malware is found generally in some smoky markets of third -party and in the sites which provide pirated apps.

And as this appropriate exploit may be dead-on this water already, this clearly shows the Android malware was really evolving, that becomes more complicated, and most all of these, is more simple but sneaky.

Just for further information that have included analysis then the code snippets details, the please check Kaspersky’ Secure List blog.