General explanation
Type: Trojan
Name Trojan.Android.Agent.Smsa
Degree of destruction: average
Prevalence rate: average
What is a Trojan?
Trojans are malware that revealed themselves in the format of an applicable and useful tool. Accordingly, the user downloads and installs them and infects the system without noticing that it is malware. Trojans, usually after installation, act as a backdoor so the hacker can remotely access the victim’s system. For instance, the malware we will analyze here seems to do an applicable and useful job, but it will install an unwanted application on the system.
Technical explanation
The name of this application is “The map”, but actually, this application is used to activate the value-added service for the user. Its content is fake and after installation, it gives no useful content to the user.
These types of applications which activate the value-added services for users, often have no useful content and appeared with different names such as pornographic applications, useful applications such as a map, Instagram, my Irancell, Golden Telegram, etc. but for using this application user needs to become the member of the value-added service (VAS) which will cost daily fees from the SIM card account balance (until the user cancels the service). Also, after membership, the user will encounter whether the application has no content whether this content is accessible online for free, and whether it is not a new and valued application.
This application will download two other apps in the background, also, to force the user to become a member of the VAS, which means this app is also a downloader. Downloaders can download and install other apps and most of them are destructive.
In the main activity of the app, first, the internet connection will be checked, and in case the connection is not available, in any way possible it will connect to the internet by achieving access permissions. Then it will recognize the network operator and authenticate the users by OTP (one-time-password) the application will connect to the server by hxxp[:]//79[.]175[.]164[.]51 address which seems a user panel.
In this regard, the app will send the user’s cell phone number along with the MSISDN ID to this server (the MSISDN is a unique ID for network subscribers and consist of 15 digits which involve the country code (CC), local cod, and subscriber number).
How to deal with it and disinfect the system
To make sure that the system is safe, install Padvish anti-virus and keep its database file and scan it.
Methods of preventing phone infection
- Avoid downloading and installing any application from unauthorized resources/markets.
- Note the requested permissions, when installing the mobile application.
- Continuously back up your saved data and files.
- Do not use an unofficial version of applications. Applications such as Telegram, and Instagram have many unofficial versions and most of them release through Telegram channels.