Android malware, masquerading as the Madden NFL 12 video game, has three embedded modules that perform various malicious activities.
The main component is a dropper that installs a set of other components – rooting exploit, IRC bot, and SMS Trojan – onto the compromised Android device, said Arun Sabapathy, a researcher with McAfee Labs.
Malicious files “Header01.png” and “Footer01.png” look like PNG image files, although they are originally ELF files, where the “header01.png” file acts as a rooting exploit, Sabapathy said.
“The purpose of this component is to root the device which will then elevate the device’s privilege. Once the device is rooted, ‘Footer01.png’ connects to a remote IRC channel and the final component ‘Boarder01.png’ acts as Trojan which sends SMS messages to premium numbers. The other *.png files in the package are just random image files added to the package to thwart HASH-based detection,” he said.
Sabapathy said if the user of a compromised Android device receives a message from his or her bank using a two-way authentication code, that message along with the mobile number goes to the remote attacker, who can use it to compromise bank transactions.
“This alone tells us how serious this attack can be. However, we are not sure, at this point, what purpose they collect and use some of the data for, as we are not sure about what their server side code is and does”, he added.