General explanation
Type: Adware
Name Adware.Android.SmsReg.Rez
Degree of destruction: average
Prevalence: average
What is Adware?
Adware is advertising malware that results in showing ads or appearing multiple banners in your system and encourages you to buy a product or use its services. Programmers of this malware, earn money by using related codes that send notification services to applications to show ads. They are attempts to encourage more people to use their applications, by adding them to android markets.
What is the SmsReg malware family?
SmsReg adware will collect users’ data and interests with the aim of professional and secure ads by using Amaroid service which belongs to Zhobin Co.
According to released applications in social spaces such as different Telegram channels or different Instagram pages, we are encountering a bunch of malware that has been released to register the user in added value and services and receive cash without the user’s notice.
The function of the malware is that as soon as installing and running the application, a page with this theme will be shown to the user to use this application user need to register in an added value service, which is specified before this and uses its features, by setting up the application. In this situation, even after deleting the application, without the user’s notice, a price will be added to the user’s phone bill, because the user is registered with the mentioned service. Activating these services is in exchange for withdrawal on a daily or monthly basis. These applications are also non-functional, whether there is no content in the application or these contents are accessible for free on the internet.
Technical explanation
As soon as set up the application, first, the connection of the device to the internet will be checked and will specify the type of operator. Also, there will be an ad shown with this theme that for setup the application and using its services, the first step is to register in the Adak added-value services. After entering the user’s phone number, the entered information with the address http://imi.adak-tech.ir:4020/site/login and IP number 79.175.163.213 will be sent.
After registering for this service, a disposable password from the server will be sent to the user as an SMS based on the periodic subscription fee that the user specifies. Until here there is no complete malware-type essence in this application because registering in the added-value service has been mentioned in the application but it used codes named net. jhoobin. The activity of these codes is the user’s registrations in services, deduction of cost, and also using the Amaroid platform for data mining and showing ads to users. Since this part is completely hidden from the sight of the user, this application will be added to the category of malicious adware.
The products of this company are Charkhone and Pars Hub, etc. the important and remarkable part of Charkhone service is to have a dedicated base for a payment system and registering in added value related to this server. It means that applications developed for Charkhone can use the payment system that Irancell has to provide especially for Charkhone. Users even by dialing *800# are unable to notice the active services on this basis and for this matter, they need to install and register in this application which the membership process and cancellation are also hard. One of the reasons that no content application uses this basis too much is this option, which members will easily register this service and hardly will recognize their active services and sometimes you cannot recognize that this service is activated for the user from Charkhone basis.
The other goal of this malware is to show ads according to the user’s interests by using the Amaroid data mining service. This platform is in the field of data and information analysis related to the user’s behavior during the use of applications that use “com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE” permission. It can be concluded that this application has more accuracy for showing internet ads because it is important to know this note that how people download this application or what they do after installing it. For example, to choose the time of showing ads, by considering the most crowded referring time to application, it is possible to send the ad programs to them with maximum efficiency. Additionally, the information related to browser histories such as the user’s research in the phone browser and location will affect the type of ads that are supposed to be sent to each user.
One of the pieces of information collected with the aim of data mining is the MSISDN ID number, which this number is used for routing and charging operations on ICT networks. There is an IMSI equal to each MSISDN and IMSI is a number that the mobile phone network will service the subscriber through it.
How to deal with it and disinfect the system
To disinfect this malware, first, delete the application from your cell phone and do as follow to cancel your subscription:
- First dial *800# and view active services and send the sent instructional code according to the sent message to cancel the service.
- If your SIM card is Irancell, it is better to disable all added-value services as a whole and or login to your own Charkhone account and deactivate your subscription.
Methods of preventing phone infection
To make sure that the system is safe, install Padvish anti-virus and keep its database file and scan it.
- Avoid downloading and installing any application from unauthorized resources/markets.
- Note the requested permissions, when installing the mobile application.
- Continuously back up your saved data and files.
- Do not use an unofficial version of applications. Applications such as Telegram, and Instagram have many unofficial versions and most of them release through Telegram channels.