On analyzing this malware binary further, we find that once the system is rooted it sets a marker “1,” which means the system is already rooted. This is basically a backdoor Trojan that acts as an IRCBot to connect to a remote server and receive and execute commands.
#BEST IRC FOR ANDROID CODE#
Once the device is rooted, it executes the IRCBot component file header01.png.įigure 6: Code to execute the IRCBot component The root exploit component, in simple terms, roots the device to its highest privilege so that the attacker can gain admin privilege and can execute commands from a remote server. However, the malware authors have slightly modified the code. The root exploit component is nothing new, as we have already discussed it in my previous blog. Each number in chmod represents the permissions given to different users such as owner, group, and others here the malware binary sets the permission to chmod to 777 to give read, write, and execute permission for all users to this folder.įigure 5 : Setting file permission to chmod 777 It then gives chmod 777 permission to that directory. The malicious class file creates the directory /data/data//files and drops the three component files, the root exploit, IRCBot, and SMS Trojan in the folder of the compromised device.
#BEST IRC FOR ANDROID ANDROID#
This Android manifest file gives us a vague idea of what this malware binary is capable of: Their package names and labels have been branded as and AndroidBotActivity.įigure 3: Android manifest file of the main componentįigure 4: Malicious class file AndroidBotActivity dropper code The class file AndroidBotActivity is responsible for dropping the other three malicious components onto the device as well as for setting the highest permission to the directory in which it drops these component files. The main dropper has a size of more than 5MB. This can be seen in the details of the three components. The other *.png files in the package are just random image files to thwart hash-based detection. The final component, boarder01.png, acts as Trojan that sends SMS messages to premium numbers. Once the device is rooted, footer01.png connects to a remote IRC channel.
The purpose of this component is to root the device and then elevate the device’s privilege. Header01.png acts as a rooting exploit we already discussed this in an earlier blog. The files header01.png and footer01.png masquerade as PNG image files, although they are originally ELF files.
Upon installation, the malicious application drops these three malicious components:įigure 2: Files in asset folder of the main component The malware has three modules embedded into it: The main component is actually a dropper that drops a set of other components onto the compromised user device. It masquerades as the game MADDEN NFL 12.
This malware binary is not a repackaged application as we have seen in the past.
#BEST IRC FOR ANDROID WINDOWS#
This malware acts as an IRC Bot, just as we have seen in Windows malware. While I was going through our mobile malware collection, I found an interesting piece of malware for Android. Along with it, the complexity and the numbers of mobile malware are also on the rise. We all know how fast the smart phone market is growing.
0 kommentar(er)
