PUA.Android.Notifyer.Adware

General Explanation

Type: PUA (Potential Unwanted Application)

Degree of destruction: average

Prevalence rate: average

What is PUA?

These are malware that often includes adware or install toolbars or such aims but is not like other malicious malware. This category of malware maybe perform some actions which are not approved or expected by the user and are malicious but some users believe that the advantages of using these kinds of applications are more than their defects and consider the arbitrary use of them has no problem.

What is the Notifier malware family?

Notifier malware families send ads notification to users by using notification services. If a user clicks on each of the notifications on the phone, the advertising page will open in the browser.

Technical Explanation

The name of this application is Maddahi- e-Ashura and uses advertising services named Pushe to show its notifications and advertising links. Pushe is a push notification service related to an Iranian company named Ronash (Ronash. co and pushe. co)

This service is embedded for mobile and web developers to show their notifications so they can send them to their users according to rules set in the company. Application developers will send notifications to their subscribers by user panel which this company provides them, but these notifications can be annoying and destructive, without user permission and acceptance and especially without necessary checking based on what title and content they have.

After running the program, the different sections of the application will be run by recalling some files that are in the application assets folder of the program. For different sections of this application, it needs to connect to the specified address to be executed. For instance, it sends a message to the user that to play the videos, the user should download the player file from “HTTPS [:]//myket.ir/app/ com.Devi.MXplayer /? Lang =fa” (right now there no other application in this address). By Telegram channel https[:]//t.me/ myappforyou” you can connect with the developers and if the user does not have the Telegram app on the phone, the user will encounter this message: “there is no Telegram on your phone”.

Regarding static checking of the application, according to manifest.xml, about permissions and application and then after checking application code, it is easy to see this application using notification sending services. Also, the type that it uses to send its notifications is “JSON” which means sending desired content in the form of JSON to the application. According to the notification sending service of the Pushe to the user’s phone, sending content (title, text, icon, image, etc.) to the user is possible.

Also, the application uses the user’s location to send purposeful notifications (advertising). The use Token of this application in Pushe is as follows:

<meta-data android:name="co.ronash.pushe.token" android:value="PUSHE_48483076454"/>

<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION”/ >

  • Sending/receiving data as JSON:

<service android:name=".pushejsonservice"/>

<receiver android:name=".pushejsonservice$pushejsonservice_BR" android:permission="com.google.android.c2dm.permission.SEND">

<intent-filter>

<action android:name="android.intent.action.BOOT_COMPLETED"/>

</intent-filter>

<intent-filter>

<action android:name="com.google.android.c2dm.intent.RECEIVE"/>

<category android:name="moharam.madahi.mv"/>

</intent-filter>

<intent-filter>

<action android:name="com.google.android.c2dm.intent.REGISTRATION"/>

<category android:name="moharam.madahi.mv"/>

</intent-filter>

</receiver>

  • Receiving system boot permission for automatic re-activation of application after boot and also restarting the Pushe service when restarting the system:

<uses-permission android:name="android.permission.RECEIVE_BOOT_COMPLETED"/>

<receiver android:name=".pushejsonservice$pushejsonservice_BR" android:permission="com.google.android.c2dm.permission.SEND">

<intent-filter>

<action android:name="android.intent.action.BOOT_COMPLETED"/>

</intent-filter>

<intent-filter>

<action android:name="com.google.android.c2dm.intent.RECEIVE"/>

<category android:name="moharam.madahi.mv"/>

</intent-filter>

<intent-filter>

<action android:name="com.google.android.c2dm.intent.REGISTRATION"/>

<category android:name="moharam.madahi.mv"/>

</intent-filter>

</receiver>

  • The ability to receive application updates by Pushe service; the developer can update the application, add more feasibilities and also easily replace the previous application with the new application by using this service.

<receiver android:name="co.ronash.pushe.receiver.UpdateReceiver">

<intent-filter>

<action android:name="android.intent.action.PACKAGE_REPLACED"/>

<data android:path="moharam.madahi.mv" android:scheme="package"/>

</intent-filter>

</receiver>

  • One can run JSON code on the victim device and extract some data from the user’s phone by using the Pushe service, for example, the information about IP, city, operator, and other user’s data.

add(new AbstractMap.SimpleEntry(“http://4.ifcfg.me/json”, “ip”));

add(new AbstractMap.SimpleEntry(“http://ifcfg.me/json”, “ip”));

add(new AbstractMap.SimpleEntry(“http://ipinfo.io/json”, “ip”));

add(new AbstractMap.SimpleEntry(“http://ip-api.com/json/?callback=yourfunction”, “query”));

add(new AbstractMap.SimpleEntry(“https://api.ipify.org?format=json”, “ip”));

add(new AbstractMap.SimpleEntry(“http://icanhazip.com/”, “”));

add(new AbstractMap.SimpleEntry(“http://ip.ronash.co/geoip”, “ip”));

  • Other possibilities of the application which will be accessible due to using Pushe service:
  • Attain the most important data from the user’s phone such as UUID, DeviceID, and unique specification for each number of phone active SIM card.
  • Attain information about the user’s phone network and check that it is active.

android.net.ConnectivityManager.getActiveNetworkInfo
android.net.NetworkInfo.isConnectedOrConnecting
android.net.wifi.WifiManager.getConnectionInfo
android.net.ConnectivityManager.getNetworkInfo
android.net.NetworkInfo.isConnected
android.net.NetworkInfo.getState

  • Also, in this application, the ready library “ArabLib” has been used. The general job of this section is:
  • AriaCustomShareList: by using this section, a developer can add this application to the list of applications in the user’s phone that can share text or files. So, as soon as the user desire to share a text or file, this application will be open as the phone’s main chosen application and the user choose an application to share with.
  • AriaMarkets
    • Opening the application page in Café Bazar, Iran apps, Myket, and Pars hub.
    • Opening commenting page to application in Café Bazar, Iran apps, Myket, and Pars hub.
    • Opening application developer page in Café Bazar, Iran apps, Myket, and Pars hub.
  • AriaMultipleSharing: by using this class you can share any number of tiles simultaneously. These files can be chosen from any format. For instance, sharing 5 or 10 or any number of photos simultaneously to applications that are supporting this possibility such as Telegram, Line, Zapya, etc.
  • Also, attaining the user’s phone information by B4a (B4a is a powerful tool in mobile programming, which programmers can use in their apps).
  • Attain information such as: following the list from the user’s phone by using the phone.CallLogWrapper
    1. getAllCalls: attain a complete list of users’ phone calls based on their specifications (number, ID, Call time duration, name, day, etc.)
    2. GetEmails: returns the contact’s email address as the key and all types of emails as their values.
    3. GetPhones: returns all contact’s phone numbers as a key and all types of the stored phone for them will be their values.
    4. GetPhoto: if there is any attached image for each contact will bring them back and if there is no image of the contract, will return Null.
    5. GetAllContacts: returns the user’s phone contact list.
    6. FindByMail: checks receiving and sending an email of the user that their sender/ receiver is harmonized with the phone contact list
    7. GetLine1Number: returns the first phone number related to each person and stored in a SIM card.

How to deal with it and disinfect the system

To make sure that the system is safe, install Padvish antivirus and keep its database file and scan it.

Methods of preventing phone infection

  1. Avoid downloading and installing any application from unauthorized resources/markets.
  2. Note the requested permissions, when installing the mobile application.
  3. Continuously back up your saved data and files.
  4. Do not use an unofficial version of applications. Applications such as Telegram, and Instagram have many unofficial versions and most of them release through Telegram channels.

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>