Trojan.Android.SmsBot.PI

General Explanation

Type: Trojan

Degree of destruction: average

Prevalence: average

What is a Trojan?

Trojans are malware that revealed themselves in the format of an applicable and useful tool. Accordingly, the user downloads and installs them and infects the system without noticing that it is malware. Trojans, usually after installation, act as a backdoor so the hacker can remotely access the victim’s system. For instance, the malware we will analyze here seems to do an applicable and useful job, but it will install an unwanted application on the system.

What is SMSBot?

Users download and install an application named “Faal” from the Telegram advertising channel. After executing the application on the user’s phone, it will show malicious actions, which can prioritize them based on their degree of destruction.

  • This malware attains many permissions from the user due to actions it wants to perform. it attains permissions such as receiving, reading, and sending an SMS from the user.
  • This malware, in fact, is a Botnet. It uses the C&C server of advertising provider servers (the) for android phones as its C&C server that by sending JSON to the user’s phone in the format of different notifications and by the user clicking on it, will execute malicious codes in the application. The way that malware uses is to place a webview into the application to show existing HTML in the assets/www folder. Also, some series of js codes will be injected in webview which they execute either.
  • This file belongs to malware that automatically registers the user in the added-value services, despite the that the application content does not relate to the added-value service.
  • This malware is meta-downloaders. In fact, after infecting the user’s phone, a new downloader will be loaded. In addition to the main application (primary), after installing the downloader file (secondary) on the phone, it will act as an independent application itself. So, it can either download other malware from this family again and proceed to maximize the download of healthy applications and ads which are the way attackers can earn money.
    Technical checkings on this sample show that the downloader will connect the attacker’s command and control server after it infected android phones. This connection is to register initial information about phones (such as phone model, ICT operator type, Location, etc.)
    Then, attackers will control this malware remotely by sending diverse commands from push notifications (such as advertising messages, and different application download links, and leading the user to different websites). Also, attackers follow two below methods to develop suspicious applications (files that are maybe malware):

    • Private servers: Using private servers, provides the possibility of replacing infected applications with healthy ones easily for attackers.
    • File sharing servers: in some cases, attackers use general file-sharing servers to hide their traces and accelerate file release and represent the exact amount of downloading files to advertisement clients. For example, upload. ir can be cited.
  • This malware results in excessive consumption of internet and phone storage space in addition to their malicious behavior. Also, constant ads exhibition in the application results in application dysfunction and annoyance.

Technical Explanation

After installing the first application (ir.website.faal118), the main service of this application names OSService will be initiated. The application service as soon as their execution, installs the second application with the ir.mahmoodvand.file101 package which is in the resource path of the first application. By clicking on the primary application after showing the application activity time and setting up the application, immediately, the activity of the second application will be loaded with the title “My file management”. The user assumes that to install the application this procedure should be completed because the name of the second downloader is designed in a way to not make the user suspicious and will easily click on the “install” button”. By that, the second downloader with hidden activity will be installed. The malware author will remove the icon to save the permanence of the infected application (secondary) which cannot be seen in the phone application list by the user.

To register the user’s primary phone information (such as phone model, ICT operator type, location, etc) in the push notification service (onesignal), the attacker will send the information in the format of a JSON file, which this information will be stored in the application database (sharepreference) in the user’s phone.  In the following, other information about the victim’s phone such as currently registered operator specifications, by use of what SIM card it connects to the internet (name of the operator), and also what SIM cards are now active in the phone (Irancell, Hamrah-e- Aval or other SIM cards) will be collected and sent to push notification service.

The relevant service will respond to the user’s phone by sending JSON files and different notifications. The existing amount in the application database will fill the (removeicon, times, verify, mykey, link, myshortcode, notification, and interval) parameters to replace of received JSON file from the server.  By clicking on each one of the notifications, an infected code will be executed in the background. The way of malware is to open the ads as a webview in the application. The HTML files file:///android_asset/www/index.html, and file:///android_asset/www/indexv2.html in the application will be loaded by using webview. Also, it makes it possible for the javascript codes that loaded easily on the screen, executed. This technique is called injecting javascript in webview.

Servers (http://141.105.69.168, http://141.105.69.159/onesignal,etc) will be used in the application, and for them, the following operation will be executed:

  • After opening the “Faal” application, a page will be shown to the user to use this application (faall), the user must attain an application named “which actors/actresses are you look like” by registering in “your TV” service. By clicking on the only button on the page, the user will be a member of the “your TV” service with a daily fee of 5000 IRR from the SIM balance. This application is a member of malware that automatically registers the client in the added-value services, while the application content does not relate to the added-value service. Thus, by using the attained information from the user’s SIM card number (by service which is running in the background), will send an SMS to one of the SMS service providers and registers the user in it. The information related to this SMS service will be sent to the application by sending JSONs from attacking servers.
  • Also to advertise healthy applications, the attacker will place links in the JSON file. The user will direct to the following links as soon as clicking on the ads:
    • http://141.105.69[.]159/onesignal/img/1526144987834.apk
    • http://141.105.69[.]168/files/com.picscout.mytwinceleb.apk
    • http://download.dreamapps[.]ir/application/mci-jadval
  • It will show messages based on showing ads for downloading “which actors/actresses are you look like” to register the user in the ” Esteghlal Tehran FC fan club”. This is called attackers expediency and earning by added value. By clicking on the ” I agree”, the user will be a member of the “Esteghlal Tehran FC fan club” for a 5000IRR daily fee. There is a difference here in that in this ad the message “You can be a member of Persepolis fan club by sending 11 to 738035” will be shown. As a result, by clicking on the mentioned button, according to sending SMS permission which before this is attained by the attacker the user will be registered in the added-value service and will suffer the loss daily. This application (which actors/actresses you look like) is in the list of infected applications belonging to this malware. Some versions of this malware will be downloaded as an independent downloader.
  • The second application which does its ads is the “Carpino” application, that by clicking on the button on the page, this application will be downloaded from the infected link which is placed from the malware servers, and it will be installed if the user clicks on the button.

How to deal with it and disinfect the system

Padvish antivirus will detect this malware and remove it from the device. In the following you can deactivate the added-value services for all SIM card operators as follows:

Send a blank SMS to 800 or dial *800# and see your active content services and if you desire disable them all. The most accessible way for users who want to remove their added-value services is to dial *800*2# and disable all active services.

Prevention ways from infecting your phone:

  1. Avoid downloading and installing the application from unauthorized resources.
  2. Note the desired permission, when installing the application.
  3. Constantly back up the stored files and data.
  4. Do not use unofficial versions of any applications. Applications such as Telegram and Instagram have many unofficial versions and most of them are released through the Telegram channel.

 

  0 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>