Malware descriptions

IRC bot for Android

Not so long time ago we found a very interesting piece of malware for Android. Unfortunately, it is not clear how it was spread but in any case it’s worth mentioning. The malicious application displays itself as ‘MADDEN NFL 12’ game after the installation.

The file size is over 5+ MB and actually is a Trojan that drops a set of malware components onto the system: root exploit, SMS Trojan and IRC bot. The .class file “AndroidBotAcitivity” maintains this dropper functionality. It creates a ‘/data/data/’ directory and sets ‘777’ permission (read/write/execute for all users). After that it extracts three files – ‘header01.png’ (root exploit), ‘footer01.png’ (IRC bot), ‘border01.png’ (SMS Trojan) – into this directory. Then it sets ‘777’ permission on the root exploit file and executes it. Finally, it displays the text ‘(0x14) Error – Not registred application’ on the screen.

If the exploit is executed successfully and the device is rooted, it launches the IRC bot ‘footer01.png’.

First of all, the IRC bot will try to delete ‘etc/sent’ using the ‘rm’ command:

After that it will set the owner (‘root’)/group (‘root’) of the ‘border01.png’ file using the ‘chown’ command and will set ‘644’ permission for the ‘border01.png’ file:

Then IRC bot will install ‘border01.png’ (SMS Trojan) using ‘pm install’ and launch it using ‘am start’:

This SMS Trojan is a modification of the Foncy SMS Trojan. We wrote about this malware family not so long ago. The Trojan hasn’t been modified much. It uses the getSimCountryIso method as well as previous versions in order to retrieve the country of the SIM card. Here is the list of countries with premium rate numbers:

  • France (81083)
  • Belgium (3075)
  • Switzerland (543)
  • Luxembourg (64747)
  • Canada (60999, there is no more mix up of number and SMS text as it was in previous version:-))
  • Germany (63000)
  • Spain (35024)
  • Great Britain (60999)
  • Morocco (2052)
  • Sierra Leone (7604)
  • Romania (1339)
  • Norway (2227)
  • Sweden (72225)
  • United States (23333)

And as in previous version Foncy will try to block all incoming messages from the premium rate numbers listed above using the abortBroadcast method. But there is one small difference between this particular version of Foncy and previous ones. This modification will upload all incoming messages from premium rate number to a remote server instead of sending an SMS message to cell phone number in the following format:


The IRC bot, after launching the SMS Trojan, will try to connect to IRC server 199.68.*.* (it was unavailable at the time of research) on channel ‘#andros’ with a random nickname. After that it is able to receive any shell commands from this server and execute them on an infected device.

This is first IRC bot for Android we’ve seen so far. And what is more interesting is that comes together with a root exploit and an SMS Trojan. They work together efficiently and the cybercriminal in this case has full access to an infected smartphone and can do anything he wants.

P.S. We detect all the malicious files as Trojan-Dropper.AndroidOS.Foncy.a,, Backdoor.Linux.Foncy.a and Trojan-SMS.AndroidOS.Foncy.a.

IRC bot for Android

Your email address will not be published. Required fields are marked *



LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Subscribe to our weekly e-mails

The hottest research right in your inbox