{"id":15979,"date":"2012-05-09T04:50:31","date_gmt":"2012-05-09T11:50:31","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=15979"},"modified":"2025-06-01T20:14:53","modified_gmt":"2025-06-02T03:14:53","slug":"evolution-of-android-malware-ircbot-for-android","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/","title":{"rendered":"Evolution of Android Malware: IRCBot Joins the Party"},"content":{"rendered":"<p>We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was going through our mobile malware collection, I found an interesting piece of malware for Android. This malware acts as an IRC Bot, just as we have seen in Windows malware.<\/p>\n<p>This malware binary is not a repackaged application as we have seen in the past. It masquerades as the game MADDEN NFL 12. The malware has three modules embedded into it: The main component is actually a dropper that drops a set of other components onto the compromised user device.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15983\"><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-15983 alignnone\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg\" alt=\"\" width=\"426\" height=\"219\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg 532w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot2-300x154.jpg 300w\" sizes=\"auto, (max-width: 426px) 100vw, 426px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 1: Android Malware Component<\/p>\n<p>Upon installation, the malicious application drops these three malicious components:<\/p>\n<ul>\n<li>Header01.png: Rooting Exploit<\/li>\n<li>Footer01.png: IRCBot<\/li>\n<li>Border01.png: SMS Trojan<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15984\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15984\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot3.jpg\" alt=\"\" width=\"122\" height=\"151\" \/><\/a><\/p>\n<p style=\"text-align: left;\">Figure 2: Files in asset folder of the main component<\/p>\n<h2 style=\"text-align: left;\"><strong>What&#8217;s It All About?<\/strong><\/h2>\n<p>The files header01.png and footer01.png masquerade as PNG image files, although they are originally ELF files. Header01.png acts as a rooting exploit; we already discussed this in an <a>earlier blog<\/a>. The purpose of this component is to root the device and then elevate the device&#8217;s privilege. Once the device is rooted, footer01.png connects to a remote IRC channel. The final component, boarder01.png, acts as Trojan that sends SMS messages to premium numbers. The other *.png files in the package are just random image files to thwart hash-based detection. This can be seen in the details of the three components.<\/p>\n<h2><strong>Main Dropper Component<\/strong><\/h2>\n<p>The main dropper has a size of more than 5MB. The class file AndroidBotActivity is responsible for dropping the other three malicious components onto the device as well as for setting the highest permission to the directory in which it drops these component files. This Android manifest file gives us a vague idea of what this malware binary is capable of: Their package names and labels have been branded as\u00a0com.android.bot and AndroidBotActivity.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15986\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15986\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot5.jpg\" alt=\"\" width=\"740\" height=\"459\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot5.jpg 740w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot5-300x186.jpg 300w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 3: Android manifest file of the main component<\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15985\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15985\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot4.jpg\" alt=\"\" width=\"1232\" height=\"345\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot4.jpg 1232w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot4-300x84.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot4-1024x286.jpg 1024w\" sizes=\"auto, (max-width: 1232px) 100vw, 1232px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 4: Malicious class file AndroidBotActivity dropper code<\/p>\n<p>The malicious class file creates the directory \/data\/data\/com.android.bot\/files and drops the three component files, the root exploit, IRCBot, and SMS Trojan in the folder of the compromised device. It then gives chmod 777 permission to that directory. Each number in chmod represents the permissions given to different users such as owner, group, and others; here the malware binary sets the permission to chmod to 777 to give read, write, and execute permission for all users to this folder.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15988\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15988\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot7.jpg\" alt=\"\" width=\"584\" height=\"95\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot7.jpg 584w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot7-300x48.jpg 300w\" sizes=\"auto, (max-width: 584px) 100vw, 584px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 5 : Setting file permission to chmod 777<\/p>\n<h2><strong>Root Exploit Component<\/strong><\/h2>\n<p>The root exploit component is nothing new, as we have already discussed it in my previous blog. However, the malware authors have slightly modified the code. The root exploit component, in simple terms, roots the device to its highest privilege so that the attacker can gain admin privilege and can execute commands from a remote server. Once the device is rooted, it executes the IRCBot component file header01.png.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15993\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15993\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot12.jpg\" alt=\"\" width=\"756\" height=\"511\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot12.jpg 756w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot12-300x202.jpg 300w\" sizes=\"auto, (max-width: 756px) 100vw, 756px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 6: Code to execute the IRCBot component<\/p>\n<h2><strong>IRCBot Component<\/strong><\/h2>\n<p>This is basically a backdoor Trojan that acts as an IRCBot to connect to a remote server and receive and execute commands.<\/p>\n<p>On analyzing this malware binary further, we find that once the system is rooted it sets a marker \u201c1,\u201d which means the system is already rooted. Thus the malware can skip attempting to exploit a device that is already rooted and also from again executing the file footer01.png.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15995\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15995\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot14.jpg\" alt=\"\" width=\"817\" height=\"404\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot14.jpg 817w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot14-300x148.jpg 300w\" sizes=\"auto, (max-width: 817px) 100vw, 817px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 7 : IRCBot component silently installs the SMS Trojan component<\/p>\n<p>The malware then connects to the remote IRC server 199.68.&lt;removed&gt; and generates a random user name that is used to log into the remote IRC channel.<\/p>\n<p>The malware joins the IRC channel #andros and waits for commands from the attacker.<\/p>\n<p>Once it starts receiving commands from the remote site, it parses them and performs the actions. We found three commands:<\/p>\n<ul>\n<li>PRIVMSG #andros :[SH] &#8211; %s.<\/li>\n<li>PRIVMSG #andros :[ID] &#8211; %d<\/li>\n<li>PRIVMSG #andros :[EXIT] &#8211; exiting ordered.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><strong>SMS Trojan Component <\/strong><\/h2>\n<p>The last component of the package is a regular SMS Trojan that sends SMS messages to premium numbers which charge the victim. This one also masquerade as a PNG image file but was originally an .apk file, an application package for Android. We have seen this type of <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/android-malware-spreads-through-qr-code\">premium SMS abuser<\/a> many times in the past.<\/p>\n<p>The difference in this malware binary when compared to others is, first, it retrieves the geo location of the SIM and based on the geo location it sends SMS to premium numbers corresponding to that geo location. This is carried out by the following snippet:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15989\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15989\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot8.jpg\" alt=\"\" width=\"661\" height=\"229\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot8.jpg 661w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot8-300x103.jpg 300w\" sizes=\"auto, (max-width: 661px) 100vw, 661px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 8: Snippet to get the geo location of the SIM<\/p>\n<p>&nbsp;<\/p>\n<p>The Trojan sends SMS messages to the premium numbers if the SIM geo is found to be applicable.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15991\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15991\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot10.jpg\" alt=\"\" width=\"408\" height=\"272\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot10.jpg 408w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot10-300x200.jpg 300w\" sizes=\"auto, (max-width: 408px) 100vw, 408px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 9: Premium SMS numbers<\/p>\n<p>The Trojan also has code to check the message body and sender of all SMS messages received. If the sender is found to be any of the numbers listed above, the malware aborts that message. This step is carried out by the abortBroadcast(); function.<\/p>\n<p>The Trojan then broadcasts an SMS to a remote server along with the mobile number and the message body.<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15992\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15992\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot11.jpg\" alt=\"\" width=\"536\" height=\"27\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot11.jpg 536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot11-300x15.jpg 300w\" sizes=\"auto, (max-width: 536px) 100vw, 536px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>To sum it up, here is the flow diagram for this Android malware:<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/?attachment_id=15997\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-15997\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot16.jpg\" alt=\"\" width=\"614\" height=\"791\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot16.jpg 614w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2012\/05\/Android_Bot16-232x300.jpg 232w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/a><\/p>\n<p style=\"text-align: center;\">Figure 10: Flow diagram<\/p>\n<p>Here&#8217;s an example of how dangerous this infection can be: If the victim receives a message from the bank that has a two-way authentication code, that message body&#8211;along with the mobile number&#8211;will be sent to the remote attacker, who can later compromise bank transactions. This alone tells us how serious this attack can be. However, we don&#8217;t know what the attackers do with this data, nor what their server-side code does.<\/p>\n<p>In any case, this is a reminder that malware authors consider the Android platform their favorite mobile attack vector, and are coming up with new infection strategies to compromise users and their data. We expect this trend to continue thanks to the growing smart phone market as well as the continued increase of enterprise use, banking functionality, and other consumer usage.<\/p>\n<p>We detect the main component of this malware as Android\/Multi.dr, the root exploit component as Linux\/Exploit-Lotoor.a, the IRCBot component as Android\/IRCBot.a, and the SMS Trojan as Android\/SMS.gen.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of&#8230;<\/p>\n","protected":false},"author":695,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,180],"coauthors":[1477],"class_list":["post-15979","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog<\/title>\n<meta name=\"description\" content=\"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-09T11:50:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T03:14:53+00:00\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Evolution of Android Malware: IRCBot Joins the Party\",\"datePublished\":\"2012-05-09T11:50:31+00:00\",\"dateModified\":\"2025-06-02T03:14:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\"},\"wordCount\":1074,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg\",\"keywords\":[\"android\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\",\"name\":\"Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg\",\"datePublished\":\"2012-05-09T11:50:31+00:00\",\"dateModified\":\"2025-06-02T03:14:53+00:00\",\"description\":\"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Evolution of Android Malware: IRCBot Joins the Party\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog","description":"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog","og_description":"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2012-05-09T11:50:31+00:00","article_modified_time":"2025-06-02T03:14:53+00:00","author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Evolution of Android Malware: IRCBot Joins the Party","datePublished":"2012-05-09T11:50:31+00:00","dateModified":"2025-06-02T03:14:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/"},"wordCount":1074,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg","keywords":["android","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/","name":"Evolution of Android Malware: IRCBot Joins the Party | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg","datePublished":"2012-05-09T11:50:31+00:00","dateModified":"2025-06-02T03:14:53+00:00","description":"We all know how fast the smart phone market is growing. Along with it, the complexity and the numbers of mobile malware are also on the rise. While I was","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2012\/05\/Android_Bot2.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/evolution-of-android-malware-ircbot-for-android\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Evolution of Android Malware: IRCBot Joins the Party"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15979","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=15979"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15979\/revisions"}],"predecessor-version":[{"id":214757,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/15979\/revisions\/214757"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=15979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=15979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=15979"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=15979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}