General Explanation
Type: PUA (potential unwanted Application)
Degree of destruction: average
Prevalence: average
What is PUA?
These are malware that often includes adware or install toolbars or such aims but is not like other malicious malware. This category of malware maybe perform some actions which are not approved or expected by the user and are malicious but some users believe that the advantages of using these kinds of applications are more than their defects and consider the arbitrary use of them has no problem.
Technical Explanation
The name of this application is “law in simple words” and uses an advertising service named “Pushe” to show notifications and advertising links. Pushe is a Push notification sender service and belongs to an Iranian company name Ronash (Ronash. co and pushe. co). This service is for mobile and web developers to show their notifications in their applications so they can send some notifications for their applications based on the set rules in the company.
Application developers send notifications to their customers through the user panel that the company provides them, but these notifications without notifying and approval by the users can be annoying or malicious, especially without necessary reviews under what title and with what content they are presented.
Inside the application, there is a button named “medical channel” to advertise this channel and lead the user to a telegram channel (https[:]//t.me/anatome), but the name and the contents of this channel are about law and does not relate to medical contents. Since it is not obvious what contents and under what titles are provided to users, it will be dangerous in turn.
Also, in this application the advertising links of a filtered site are obvious. Here you can see the advertising links of this application:
http[:]//gamejoo.com/tabligh.html
http[:]//gamejoo.com/tabligh.html?bazaar
Both links are related to the “JoApp” application builder whose job, as they call it, is to build different applications, showing notifications and etc. which now are filtered.
Also, in this application, for advertising, important information will be fetched from users; actually, by using methods called from TelephonyManager class, the app will access the following information:
getNetworkType: accessing network information
getSimOperatorName: accessing SIM card operator information
getDeviceID: accessing to user’s phone’s unique signature
And also by using the getLastKnownLocation method, it can access to user’s local place and geographical situation.
How to deal with it and disinfect the system
To make sure that the system is safe, install Padvish antivirus and keep its database file and scan it.
Methods of preventing phone infection
- Avoid downloading and installing any application from unauthorized resources/markets.
- Note the requested permissions, when installing the mobile application.
- Continuously back up your saved data and files.
- Do not use an unofficial version of applications. Applications such as Telegram, and Instagram have many unofficial versions and most of them release through Telegram channels.