We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of the mobile malware is also on the raise. Just going by that, while I was going through our mobile malware collection, I found an interesting piece of malware for Android. This malware acts as an IRC Bot, just as we have seen in classical Windows Malware.
This malware binary is not a repackaged application as we have seen in the past, this malware masquerades as a the game ‘MADDEN NFL 12’. The malware has three modules embedded into it which perform various malicious activities. The main component is actually a dropper which drops a set of other components onto the compromised user device.
Figure 1. Android Malware Component
Upon installation, the malicious application drops these three malicious components:
1.Header01.png – Rooting Exploit
2.Footer01.png – IRCBot
3.Border01.png – SMS Trojan
Figure 2. Files in asset folder of the main component
What the Story is about?
The files “Header01.png” and “Footer01.png” masquerade as PNG image files, although they are originally ELF files, where “header01.png” file acts as a rooting exploit which we have already discussed about in our earlier blog. The purpose of this component is to root the device which will then elevate the device’s privilege. Once the device is rooted, “Footer01.png” connects to a remote IRC channel and the final component “Boarder01.png” acts as Trojan which sends SMS messages to premium numbers. The other *.png files in the package are just random image files added to the package to thwart HASH based detection. This can be seen in the details of the three components:
Main Dropper Component:
The main dropper component has a size of more than 5MB and the class file “AndroidBotActivity” is responsible for dropping the other three malicious components onto the device as well as setting the highest permission to the directory in which it drops these component files. Seeing these Android manifest file, it gives us a vague idea on what this malware binary is capable of as we can see their package names and their labels has been branded as “com.android.bot” and “AndroidBotActivity“.
Figure 3: Android Manifest file of the main component
Figure 4: Malicious class file .AndroidBotActivity dropper code
The malicious class file creates a directory “/data/data/com.android.bot/files” and drops the three component files, the root exploit, IRC Bot and SMS trojan in the folder of the compromised device. It then gives chmod 777 permission to that directory. Each number in chmod represents the permissions given to different users like owner, group and others; here the malware binary sets the permission to chmod to 777 in order to give read, write and execute permission for all users to this folder.
Figure 5 : Set file Permission to chmod 777
Root Exploit Component:
The Root exploit component is nothing really new, as we have already discussed it in a previous blog as mentioned earlier. However, they have slightly modified the code. The Root Exploit component, in simple terms, roots the device to its highest privilege so that the attacker can gain admin privilege and can execute commands from a remote server. Once the device is rooted, it executes the IRC Bot component file “header01.png”.
Figure 6: Code to execute the IRCBot Component
IRC BOT component:
This is basically a backdoor Trojan which acts as an IRC BOT to connect to a remote server to receive commands and executes them accordingly.
On analyzing this malware binary further, once the system is rooted it sets a marker “1” which represents that the system is already rooted and hence it can avoid attempting to exploit a device which is already rooted and also from executing the file “footer01.png” again.
Figure 7 : IRCBot component installs the SMS Trojan component silently
It then connects to the remote IRC server “199.68.<removed>” and then generates a random user name which is used to login into the remote IRC channel.
It then joins to IRC channel named “#andros” and waits to receive commands from the attacker.
Once it starts receiving commands from the remote site it parses them and performs the action. On going through the code, we found there are three such commands:
- PRIVMSG #andros :[SH] – %s.
- PRIVMSG #andros :[ID] – %d
- PRIVMSG #andros :[EXIT] – exiting ordered.
SMS Trojan Component:
The last component of the package is nothing but a regular SMS Trojan which sends SMS messages to premium number that charges the compromised user. This one also masquerade as PNG image file but it was originally an .apk file, which is an application package for Android OS. We have seen this type of premium SMS abuser many times in the past as well.
The difference in this malware binary when compared to others is, first, it retrieves the geo location of the SIM and based on the geo location it sends SMS to premium number corresponding to their geo location. This is carried out by the following snippet:
Figure 8: Snippet to get the geo location of the SIM
It then sends out SMS messages to the premium numbers if the SIM geo is found to be applicable.
Figure 9: Premium SMS numbers
It also has code to check the message body and sender of all SMS messages received and if the sender is found to be any of the above mentioned numbers it simply aborts that message this is carried out by using abortBroadcast(); function.
It then broadcasts an SMS which the compromised user receives to a remote server along with the mobile number and the message body.
To sum it up, here is the flow diagram for this Android malware:
Figure 10: Flow Diagram
Now, what if the compromised user received a message from their bank which has a two way authentication code from the bank? That message body along with the mobile number will be sent to the remote attacker which can be later used to compromise bank transactions! This alone tells us how serious this attack can be. However we are not sure, at this point, what purpose they collect and use some of the data for as we are not sure about what their server side code is and does.
Certainly this shows that the authors of Android malware consider the Android platform to be their new platform and are coming up with new infection vector strategies to compromise the user and their data. We expect this trend to go further thanks to the growing smart phone market as well as the continued growth of enterprise use, banking fuctionality and other consumer usage.
We detect the main component as Android/Multi.dr, the Root Exploit component as Linux/Exploit-Lotoor.a, IRCBot component as Android/IRCBot.a and the SMS Trojan as Android/SMS.gen.
Leave a reply
