This is just a place to give my thoughts so that they do not eat me alive. I may post about my Life, music, sports or whatever I feel like.

First IRC Bot For Android Shows Up, Allows The Attacker Full Remote Control Of Your Device | Android Headlines

First IRC Bot For Android Shows Up, Allows The Attacker Full Remote Control Of Your Device | Android Headlines


We've seen our fair share of Android malware hit the scene, but the guys over at Kaspersky Labs have stumbled upon something rather alarming: the first IRC bot for Android. For those unaware, an IRC bot is a tool that provides automated function inside of an IRC channel. While very useful in many scenarios, IRC bots are also often used for malicious intent, such as the case at hand. It's worth noting here that, with the way this attack works, remote commands could be sent via any medium - SMS, webserver, etc. The attacker has just chosen IRC as the platform for this exploit.
Once installed, the malware (ironically) disguises itself as Madden NFL 12 - a seemingly trustworthy app. Unlike this guise may suggest, though, the application actually consists of three malicious components: a root exploit (using Gingerbreak - more on why that's important in a bit), an SMS Trojan, and the IRC bot. The files are extracted and stored in /data/data/com.android.bot/files as "header01.png," "footer01.png," and "border01.png" respectively. The directory is then given read/write/executable permissions.
The root exploit (header01.png) is first executed in order to give the device root access - a requisite for the SMS Trojan and IRC bot to function. Fortunately, the root method used - Gingerbreak - has been patched for quite sometime now so most devices are left unaffected by the root attempt. With that said, there are still some devices susceptible to Gingerbreak (remember, we're talking on a global level here, no just U.S.), so this vulnerability is still very much a threat. If the device in question is already rooted when the exploit attempts to run, it will request Super User access, thus prompting the user. If this request is denied (as it should be), then the application attempts to run anyway - a move that makes little sense, as the app won't be able to progress any further.
In a scenario where the device in question is successfully rooted by the malware, though, it will then execute the second file: the SMS Trojan (footer01.png). Once executed, the Trojan discovers the device's country and send SMS message to an applicable premium rate number (read: it charges money). All returned requests from said premium rate number are then blocked, so the phone's owner is completely oblivious to what is going on.
After that, the IRC bot connects to a remote IRC server (which happens to be down at the moment, suggesting it may already be dead) with a random nickname. From there it can receive and execute any shell command, basically giving the attacker control of the whole system.
Fortunately, if you stick with the key app outlets - the Android Market, Amazon Appstore, and Getjar - you should be good to go, as this type of malware is generally found in shady third-party markets and on sites that provide pirated applications.

Share:

0 comments:

Contact

November 18th, 2023. Still being able to have joy for others.

Her death never took that from me.  Losing my Mama and Daddy never took this from me.  Life hasn't taken this away from me. Bitter exes ...