Android NFL Game Drops IRC Bot and SMS Trojan

Security researchers are coming across a large number of pieces of malware that target Android devices lately. The latest is a malicious application that displays itself as the Madden NFL 12 game, carrying a set of components that get dropped onto the infected device.

Kaspersky Lab Experts have analyzed the Trojan and even though they couldn’t exactly determine how it spreads, they've managed to find out how it works and the extent of the damage it can cause.

The Trojan, a 5 megabyte file, drops a payload composed of a root exploit, Exploit.Linux.Lotoor.ac, an SMS Trojan, identified as Trojan-SMS.AndroidOS.Foncy.a, and an IRC bot.

So you may wonder how these malicious elements work in harmony.

First of all, a .class file called AndroidBotActivity creates a directory and sets read, write and execute permissions for all the users, after that extracting three .png files, representing the SMS Trojan, the root exploit and the IRC bot.

After the operation is complete, an error message is displayed on the screen, saying that the application is not registered, but in reality, the root exploit is executed. If the device is rooted, the IRC bot is launched, which in turn installs the SMS Trojan.

The IRC bot connects to a server, on a certain channel, with a random nickname and awaits shell commands from the server, executing them on the infected device.

This is not the first time we hear of the Foncy SMS Trojan and it seems that it hasn’t changed much since we've last seen it. Just as before, it tries to send SMSs to premium-rate numbers from countries such as France, Belgium, Germany and Canada, at the same time blocking the messages that come from these numbers.

Unlike the previous variant, where the cybercriminals counted the number of victims by sending the incoming messages to a phone number, in this scenario, the messages that come from the premium-rate numbers were uploaded to a remote server.