General Explanation

Type: downloader

Degree of destruction: low

Prevalence: average

What is a downloader?

This malware is used for purposes such as advertising and distributing other android applications. Usually, without explicitly noticing the user and in exchange for the user clicking on different parts of the application a file will be downloaded in the background, or it directs the user to the download link of the market or specific website through existing download links inside the application. Also, it may ask the user to download another application for providing a service in the application or better performance of the application.

What is Notifyer malware?

Notifyer adware displays advertising notifications in the background to the user using notification services. If the user clicks on any of the notifications, the advertisement pages in the browser will be open.

Technical Explanation

Users will download this application as “mix photo with song” from the Café Bazaar android store. Some of this malware (editing photo and film) with different names and packages exist in stores such as Café Bazaar. This malware downloads diverse applications without the user’s permission and requests the user to install them. Also, according to “co.ronash.pushe”, the malware has used the Pushe advertising service to displays its notifications.


The malware checks the phone API version as soon as the main application activity is executed, and if it was greater than or equal to the value of 9, the Pushe package will be executed on it. Also, to run and update the Pushe package, the malware checks the phone to make sure the Google play services have been installed.

Com.aksvirayeshy441.moin1.Dialog activity

The malware connects with its server through “hxxp[:]//baroot[.]ir/click_hi” address and sends the package name with the hash of the installed applications along with the ID of the folder using the POST method (usually, it is used to send targeted notification that is similar to onesignal notification sending service which is filtered). After checking the installation status of applications such as Café Bazaar, Iranapp, Myket, and Google store on the user’s device, if any, it will open the page of each application. The desired package lists of malware to download are specified which are all messengers such as Telegram, golden Telegram, etc.

public String a() {

byte b1 = 0;

arrayOfString = new String[53];

arrayOfString[0] = “ir.persianfox.messenger”;

arrayOfString[1] = “”;

arrayOfString[2] = “org.telegram.messenger”;

arrayOfString[3] = “ir.rrgc.telegram”;

arrayOfString[4] = “ir.felegram”;

arrayOfString[5] = “”;

arrayOfString[6] = “ir.alimodaresi.mytelegram”;

arrayOfString[7] = “org.telegram.engmariaamani.messenger”;

arrayOfString[8] = “org.telegram.igram”;

arrayOfString[9] = “ir.ahoura.messenger”;

arrayOfString[10] = “com.shaltouk.mytelegram”;

arrayOfString[11] = “ir.ilmili.telegraph”;

arrayOfString[12] = “ir.pishroid.telehgram”;

arrayOfString[13] = “com.goldengram”;

arrayOfString[14] = “com.telegram.hame.mohamad”;

arrayOfString[15] = “ir.amatis.vistagram”;

arrayOfString[16] = “org.mygram”;

arrayOfString[17] = “org.securetelegram.messenger”;

arrayOfString[18] = “com.mihan.mihangram”;

arrayOfString[19] = “com.telepersian.behdadsystem”;

arrayOfString[20] = “com.negaheno.mrtelegram”;

arrayOfString[21] = “com.telegram.messenger”;

arrayOfString[23] = “ir.samaanak.purpletg”;

arrayOfString[24] = “com.ongram”;

arrayOfString[25] = “com.parmik.mytelegram”;

arrayOfString[26] = “life.telegram.messenger”;

arrayOfString[27] = “com.baranak.turbogramf”;

arrayOfString[28] = “com.baranak.tsupergram”;

arrayOfString[29] = “com.negahetazehco.cafetelegram”;

arrayOfString[30] = “ir.javan.messenger”;

arrayOfString[31] = “org.abbasnaghdi.messenger”;

arrayOfString[32] = “com.baranak.turbogram”;

arrayOfString[33] = “”;

arrayOfString[34] = “org.vidogram.messenger”;

arrayOfString[35] = “com.parsitelg.telegram”;

arrayOfString[36] = “”;

arrayOfString[37] = “”;

arrayOfString[38] = “com.eightgroup.torbo_geram”;

arrayOfString[39] = “org.khalkhaloka.messenger”;

arrayOfString[40] = “com.groohan.telegrampronew”;

arrayOfString[41] = “com.goftagram.telegram”;

arrayOfString[42] = “com.Dorgram”;

arrayOfString[43] = “com.bartarinhagp.telenashenas”;

arrayOfString[44] = “org.kral.gram”;

arrayOfString[45] = “com.farishsoft.phono”;

arrayOfString[46] = “ir.talayenaaab.teleg”;

arrayOfString[47] = “hamidhp88dev.mytelegram”;

arrayOfString[48] = “”;

arrayOfString[49] = “org.abbasnaghdi.messengerpay”;

arrayOfString[50] = “com.hanista.mobogram”;

arrayOfString[51] = “com.hanista.mobogram.three”;

arrayOfString[52] = “com.hanista.mobogram.two”;

ArrayList arrayList = new ArrayList();

while (b1 < 53) {

if (a(arrayOfString[b1]))




Also, it downloads the “become a singer” application package “” from Café Bazaar market or Google play store which is also malware.

MyPushListener service

This class is related to receiving notifications. It checks the JSON input parameter to assure that the sending JSON has contents and with no length of zero. If the key value is 1, it opens the “link” string contents with a specific address inside the phone browser. Additionally, if the key-value equals 3, then it directs the user to the address “=tg://resolve?domain” that leads to opening a specific page in the telegram application, and if the key value is 4, then it downloads the new version of the Pushe package.

 public void onMessageReceived(JSONObject paramJSONObject1, JSONObject paramJSONObject2) {

    if (paramJSONObject1.length() == 0);

    try {

      Intent intent;

      String str;

      switch (paramJSONObject1.getInt(“key”)) {

        case 2:


        case 1:



        case 3:

          str = paramJSONObject1.getString(“link”);

          intent = new Intent(“android.intent.action.VIEW”, Uri.parse(“tg://resolve?domain=” + str));




        case 4:

          this.url2 = intent.getString(“url”);

          this.filename = intent.getString(“filename”);

          (new DownloadNewVersion()).execute(new String[0]);



    } catch (JSONException paramJSONObject1) {





AppChangeReceiver downloader

This receiver runs with PACKAGE_INSTALL ،PACKAGE_ADDED and PACKAGE_FULLY_REMOVED action; i.e, this receiver will be executed as soon as installing, adding, or removing a package completely. Then, it returns the data related to installed application packages as a string and receives the package name, the version name, first installation time, and the last update time, and it specifies which application has to be downloaded from the market.

Malware techniques

In this application, the Emulator Detection technique has been used. In this method, the application detects the emulator using some methods. First, the application looks for binary files that are usually installing when the phone has been rooted.

  • First method: it checks for “su” strings in specific paths. These existing paths are all systematic that only being accessible if the phone is being rooted. That’s while the possibility that the application is executing under an emulator is high, and it will stop.
  • Second method: It checks the TAGS value if the BUILD.TAGS value contains a “test-keys” string, which means the emulator exists. As a default, Google android ROMs use “release-keys” for BUILD.TAGS. So, if the recursive string value equals “test-keys” it may mean that the emulator exists
  • Third method: The application looks for the apk file (a file that is usually installed after rooting) in the path “/system/app/”, If this file exists, it can be concluded that the program runs on the emulator or rooted phone.

How to deal with it and disinfect the system

To assure that your device is not infected, install Padvish antivirus, keep its database file updated and scan for viruses.

How to prevent the phone from infection:

  1. Avoid downloading and installing applications from unauthorized mobile resources and markets
  2. Pay attention to the requested permissions when installing a mobile application.
  3. Continuously back up your file and stored data.
  4. Do not use unofficial versions of applications. Applications such as Telegram and Instagram have many unofficial versions that are mostly distributed through Telegram channels.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>