With the increasing popularity of smartphones in Iran, these devices have turned into an attractive money-making channel for cyber criminals. This first report in a series to be published by Certfa exposes a major network of cyber criminals using malicious apps to make money by undermining Iranian users’ privacy and online security.
This report is both timely and important – so far no other organisation has offered an in-depth analysis of these criminal activities, which are costing Iranian smartphone users billions of Iranian Rials (millions of US dollars) each year.
In this report, Certfa will discuss a group of malware named PushIran.DL. The malware has in effect created a major advertising botnet that can be distributed and used in various ways to exploit users.
The misuse of third-party services in order to send notifications, manipulate other programs and deceive users are only some of the activities carried out by the creators of these malware, who pose a serious threat to the privacy and digital security of millions of smartphone users in Iran.
The PushIran.DL malware, which is currently only operational for the purposes of profiteering, are largely detected by reliable anti-virus software such as Kaspersky, ESET NOD32, Avira, Dr.Web, and Trend Micro. Users at risk may use this software to ensure that their devices are not infected.
The development of downloadable malware and adware has became a prominent activity in mobile apps and internet advertisement markets. These criminal acts have increased the prevalence of smartphone infections and if not seriously confronted, we expect to encounter more far-reaching and dangerous threats in the not-too-distant future.
The malware that are the subject of this report have been grouped under the title ‘PushIran.DL’. This is a family of fake and destructive Android apps which are distributed across Iran’s mobile network — whether through Telegram Messenger or other Android malware — by playing different tricks, including distributing downloaders and adult apps, and by sending text messages and deceptive notification ads in other mobile apps. Their creators are constantly developing new versions and releasing further infected files.
No accurate data about the full extent of infection of mobile devices by PushIran.DL is available, but we believe that more than 10 million Android devices in Iran have been infected. The documents collected from just one of the attackers’ Control and Command (C&C) servers 1 revealed that approximately 1,369,000 Android devices have been infected. This research has revealed to us is that the PushIran.DL malware family has developed vast Android-based infrastructure to support a giant botnet of spam and mobile adware in Iran.
Anti-virus tools categorise the infected malware that we define as part of the PushIran.DL family under titles such as: 2
Currently, the PushIran.DL malware performs the fuction of the creation of a user base and the formation of a mobile botnet for commercial uses. The main activity consists of stealing Android device information and recording users’ credential details via push notification services. The developers of these malware have used this data for advertisement but in the near future, it is very possible that they will use it for more destructive purposes, such as the implementation of phishing attacks, the release of ransomware and as cryptocurrency extractors.
Origins of PushIran.DL
According to our investigations and existing evidence, the companies “Pouya Ertebat Raman (Raman) 3” and “Raazgostaran Andisheh Fartak (Raaz) 4” are the two main developers and spreaders of PushIran.DL in Iran.
Raman: Pouya Ertebat Raman is a company which produces mobile apps, sells the source code of software, and produces online advertising. It was registered by Mohammad Hossein Karbalaei Sadegh, Mohammad Naftchi Langeroudi and Seyed Hamid Mousavi Khoshdel on 17 July 2017 (26 Tir 1396). 5
Raaz: Raazgostaran Andisheh Fartak is a company active in IT and communications, consulting, marketing and internet advertising. It was registered by Razieh Hemmati Goshtasb, Hamideh Hemmati Goshtasb, Soghra Dizgani and Payam Zamharir. The company officially started to operate on 28 May 2017 (7 Khordad 1396). 6
The Main Actors
After analysing captured information from the recognised malware and a two month phase of monitoring communications among malware, developers concluded that a number of individuals and firms are involved in spreading the PushIran.DL malware.
In the following reports we will discuss these entities in detail, but according to the evidence that we captured from digital footprints, some of the main distributors of these malware include Mohammad Hossein Karbalaei Sadegh (nicknamed “Omid” and “Omidmhks”), Ali Motamedi and Milad Faraji. The function of some of the released files will be mentioned later in this report.
What is remarkable about PushIran.DL is that its creators have created and launched the infected apps using the nicknames of the owners (those who work in Pouya Ertebat Raman), customers and other co-workers of the company. Via the attacker’s C&C servers, we were able to find a list of names that related to Raman:
Table 1. A list of individuals who are related to Raman and developed malware under PushIran.DL campaign.
We were also able to identify some of the developers of this malware in Android app stores. For instance, Mohammad Hossein Karbalaei Sadegh (Dima), Farzad Seyedi (Baraish Team), and Ali Motamedi (Tosewe-ye-Paydar) are some of the PushIran.DL developers who have intentionally released infected Android apps on CafeBazaar.ir (the Iranian version of Google Play) and other Iranian Android app stores. 7
Figure 1. Samples of apps and PushIran.DL related developers (‘All Purpose Smart Keyboard’ with more than 1 million installations and an anti-virus with more than 100,000 active installations.)
Aria Tosewe 8, who has previously used the name Ali Motamedi 9, is another of the individuals who has released infected applications on Google Play. Some of the users who installed Motamedi’s app have complained about annoying ads forcing them to download other apps without their consent and navigating users to other websites.
Figure 2. Comments from users about Ali Motamedi’s apps on Google Play 10
As of August 2018, we have been able to collect 220 samples of PushIran.DL. The examples we have collected appear to share a number of common features. Nevertheless, we believe that there are far more infected apps out there than those we have detected. Yet based on the activities of these malicious apps, we can assert that the main culprits have been identified.
Names of Suspicious and Malicious Apps
The title of the files that have been released by 1 July 2018 are as follows:
Table 2. A list of suspicious and malicious apps that have been released by 1 July 2018. 11
According to our assessments, some of the PushIran.DL apps inflict different costs upon users by activating Telecommunication Value-Added Services (VAS).
After entering into agreements with their customers (companies and VAS providers), the developers of PushIran.DL add the activation of text message VAS services to their apps as one of their destructive capabilities. According to the agreements, the attackers receive a small amount of money from their customers as commission.
Our observations show this has been done both involuntarily (without informing the users and getting their consent) and voluntarily (through false and deceptive advertising plans). It causes financial losses to the user as on average users’ credit reduces at a daily amount of 2,000 to 4,000 IRR (0.04 to 0.09 USD), or charges similar amounts on their periodic bills.
Based on collected data from one of the malware servers, companies that have agreements with telecommunication companies receive an approximate sum of 1.17 billion IRR (25,570 USD) through VASs from only 10 malicious apps. The names of the 10 infected apps with their corresponding daily installation rate and average daily revenue are listed below:
Table 3. A list of PushIran.DL apps with estimated revenue 12
The important point about VASs and the revenue obtained from them – such as the sums listed in the above table – is that the majority of profits go to monopoly companies that have contracts with TSPs 13 and only a small portion of it will be paid out to malware developers. This has caused some dissatisfaction among the developers. For example, you can see some of the conversations among malware developers about the low levels of income from working with VAS companies in Figure 3. It is noteworthy that these individuals are aware of the criminal nature of their activities.
Figure 3. PushIran.DL malware developers’ dissatisfaction with low level of income of working with VAS companies
The Scope of Activity
The activity of PushIran.DL is extensive. Some of their current activities are listed below:
- Guaranteed installation of Android apps (Hidden downloads and involuntary display of new apps for download)
- Sending notifications based on operator, location, age group, gender and user’s device model
- Increasing Instagram and Telegram post views
- Displaying commercial pop-ups
- Clickjacking for increasing number of views of different websites
- Directing users to various web pages, such as VAS websites
In Figure 4, some advertising messages sent by PushIran.DL developers can be seen. These messages have been sent for marketing purposes. The number of targeted users is between 1.5 and 12 million. The use of malware has been mentioned in this screenshot.
Figure 4. Some of the messages exchanged among PushIran.DL related individuals for marketing. These messages contain notes about the technical and functional capabilities of their malware.
Disguised Apps and Third Parties
It is noteworthy that most developers responsible for distributing PushIran.DL release applications with generic titles such as “Persian Keyboard”, “Antivirus”, “Device and Battery Optimizer”, “Augury and Horoscopes”, “Weather Forecast”, “Religious Prayer”, “Persian Calendar”, many of which have similar user interfaces and functionalities. These similarities could derive from the use of identical source codes, some of which are available ‘off-the-rack’ from websites and Telegram channels.
These developers, alongside the companies and groups mentioned in this report, have created a medium for the sale of push notification management panels and the granting of concessions within apps that are available on app stores. What they have created can be described as a ‘black market’ of mobile apps being used for advertising purposes.
The consequences for the users of these apps—which are publicly available on app stores—should be a matter of serious concern. The administration and management of these apps has been transferred to third parties, whose interest in buying mobile apps with massive user bases lies in profiteering, with little regard paid to the consent of app users. In other words, commercial and administrative access to these apps is being sold secretly, without respecting the privacy of users, nor the regulations of app stores such as Cafe Bazaar or Google Play.
In the posts of the Telegram channel of the managers of Pouya Ertebat Raman, we encountered such cases:
“The full concession of a chosen app in Cafe Bazaar with access to OneSignal admin panel and the data of 19,700 users (active installations) will be sold at 200 million IRR (4,545 USD)”.
Figure 5. Some samples of posts about the sale of source codes and the transfer of user panels for sending notifications (Source: Telegram channels belonging to PushIran.DL developers).
The Analysis of the PushIran.DL family
1) PushIran.DL downloader
Technical evaluation of samples of PushIran.DL malware indicates that after infecting Android devices, downloader files make contact with C&C servers. This will serve the purpose of recording devices’ primary data (such as the model, the telecommunication service provider, location, etc.).
Afterwards, the attacker controls the malware remotely by sending different commands through push notifications such as ads, various app download links and directing users to other websites.
Some of these downloaders, by default, start receiving suspicious new APK files from the internet immediately, after primary running through calling link of file, which have been installed in downloader codes by default.
Attackers use two methods for distributing suspicious APK apps, that may be more powerful and destructive malware:
- Private Servers: By using private servers, attackers are able to easily replace uninfected files with infected ones. For example dl2learnasan.ir has been used for this purpose.
Figure 6. List of files, accessible on dl2learnasan.ir server
- File Sharing Servers: Sometimes, attackers use file sharing servers to hide their traces, accelerate the distribution of files and store the exact number of downloads to their customers, who had ordered ads. An example is the uupload.ir service, through which massive infected files were shared in Spring 2018.
Figure 7. A sample of downloader files, uploaded on uupload.ir with more than 19,000 downloads.
Figure 8 illustrates the function of these downloaders (for example, based on function of com.newdownloader.antivirus_mohammad and ir.pushiran.hamrahdownloader5 downloaders).
Figure 8. PushIran.DL downloaders’ mechanism
2) PushIran.DL store downloaders
During our evaluation of PushIran.DL files, we encountered downloaders which were distributed mainly with the aim of increasing the number of users of apps that are available on Android stores.
Since some of Android app stores (such as Cafe Bazaar) calculate the demonstrated statistics of “number of installations” based on a count of the number of installed apps on users devices, This method of selecting popularity of the apps, allows malware developers to manipulate the system and artificially inflate the number of downloads.
For example, the developer can send a command and ask the malicious app to start downloading another app. When an app starts to be downloaded by tens of thousands of users, the new malicious app might appear in the ‘Trending’ section of the app store, and other users whose devices are not infected with PushIran.DL may become affected by it. This cycle can be perpetuated to spread malware to large user populations.
Besides this, these downloaders—similar to all PushIran.DL files—registered users’ device information such as IMEI, TSP, and DeviceToken (among others) on their push notification service.
Figure 9 is a summarised demonstration of the mechanisms of these downloaders (for example based on function of ir.gotoup.flashlight and com.newdownloader.ax_naghashi_zz_homayoun).
Figure 9. PushIran.DL store downloaders’ mechanism
3) PushIran.DL Metadownloaders
Another type of PushIran.DL file are ‘meta-downloaders’, which are downloaders that add new downloaders to users’ devices after infecting them. These metadownloaders enable attackers to install newer and more diverse types of malware.
After various assessments, we can assert that so far the main purpose of the distribution of this type of file has been merely to create larger user bases for push notification services, which can be used specifically by attackers for sending ads.
Figure 10 is a summarised demonstration of the mechanisms of these metadownloaders (for example based on function of com.bestmaker.antipackage and com.blod.taghziye).
Figure 10. PushIran.DL Metadownloaders’ mechanism
4) Irrelevant notifications
A noteworthy issue about PushIran.DL is the notifications that have no relevance to function of apps. Some samples of this type of notifications are shown in Figure 11.
Figure 11. Notifications which are irrelevant to function of the advertised software
Case 1: A fake app with the Psiphon icon and title “circumvention” sent a notification titled “calculator update” to the user in which the “free download of a calculator app” has been mentioned.
Case 2 & 3: Similar to the Psiphon app, two apps “XoXo Girl Game” and “Hot Cartoon” have sent similar ads to the user.
Case 4: Fake app “18+ collection” has sent a notification “Are you eager to go to Karbala?” to users in which the download and installation of “an audio Ziyarat Ashura for Ramadan” has been mentioned. 14
5) Dialog Notifications
Another type of annoying notification shown by PushIran.DL apps are pop-ups, whose related data have been sent to users devices thorough push notifications. Pop-ups appear on users’ devices main screens as advertising dialogues. Users are not aware of the source of these notifications. Two samples of these ads are shown in Figure 12.
Figure 12. Annoying commercial pop-ups
6) Notification Bombardment
If a user’s device gets infected by a PushIran.DL downloader, it will gradually suggest that the user installs a number of new malicious apps. If the user installs these apps, the device will be bombarded by notifications for several hours throughout the day.
Figure 13 demonstrates some of these notifications.
Figure 13. Annoying commercial notifications, related to PushIran.DL infected software
7) Phishing Notifications
After spending approximately two months evaluating PushIran.DL apps, we have not detected any examples where they have been used to engage in phishing attacks against users’ accounts on social media or elsewhere, but we believe that the distributors of PushIran.DL have the capacity to undertake such attacks if they do desired.
This research has shown that attackers are appropriating the icons of well-known apps to deceive users, send them fake messages, and direct them to various phishing pages. Figure 14 shows an example that PushIran.DL developers have misused Gmail’s icon in their notifications.
Figure 14. Misusing other apps icons such as Gmail
The Prevalence of Push Notification Services
Push notifications and the service providers of this feature are currently one of the main modes of interaction between mobile app developers and users. Due to a lack of monitoring and regulation of the use of push notifications by providers, this service has at times turned into a serious nuisance for users. Attackers frequently misuse push notification services as a means of remotely coordinating malware.
Services such as Pushe.ir/Pushe.co, OneSignal.com, Adad.ir, and Magnetaddservices.com (among others), are currently some of the services with the largest user bases among Iranian developers.
According to information published by Rotbenegar 15 pushe.ir—a push notification service—ranks as the sixth-most visited website in Iran based on internet traffic. In past months, antivirus services have become more responsive to the distribution of malware and adware by this website, and on occasions have offered security alerts to users attempting to access it. 16 We believe if this trend of abusing sites like pushe.ir continues, it should be expected that antivirus and online security software will blacklist this site in the medium-to-long term.
Table 4. List of most visited websites based on internet traffic in Iran
PushIran.DL Communication Network
In order to provide comprehensive information on the distributors of the PushIran.DL malware family and the structure of this commercial botnet, details of the communications and background activity of some of the malware should be assessed. Our investigation illustrates that a number of individuals and companies are connected to each other, and use their networks to accelerate the distribution and spread of PushIran.DL.
We have also seen through our investigations that these malware developers collaborate with each other by using shared private servers to host and distribute malicious files, transferring ownership of these servers to PushIran.DL-linked individuals, and by using similar coding patterns to develop malware and push notification services.
Also, based on the information we have gleaned about the connections between servers, and the analysis of distributed malware files, we can say that the developers of these malware were also directly in connection with servers of the company Peykasa 17 for a limited period of time. This connection is, however, currently suspended.
Additionally, we identified two other items of malware (ir.pushiran.hamrahdownloader5 and ir.vira_tel.dawnloader61) which were developed by two different developers that had used tci-test.peykasa.ir and tci-srv.peykasa.ir. These domains belong to Peykasa.ir and provide a VAS to MCI.
Figure 15 shows parts of the general communication of these malware on cyberspace.
Figure 15. The structure of communication network of some of PushIran.DL malware 18
Although PushIran.DL is not a particularly sophisticated advertising botnet, it is a dangerous malware that has cost Iranian citizens millions of dollars. In addition, PushIran.DL allows cyber criminals (and potentially the Iranian government and intelligence services) to undertake large-scale surveillance operations. In the past, it has been suggested that state intelligence services have collaborated with known hackers to target particular individuals. 19
As a consequence, we propose a series of recommendations to tech companies, policymakers, civil society actors and internet users to mitigate the risks posed by the PushIran.DL family of malware.
Our recommendations to tech companies and policy makers:
- Put pressure on app stores such as Cafe Bazaar and Google Play to take down the malicious apps as soon as possible. A concerted effort will be required on this front, as app stores are frequently either unresponsive or slow to react to such takedown requests.
- Ensure that sure all anti-virus software is updated to identify PushIran.DL and similar malware. Currently, only a handful of anti-virus tools such as Kaspersky and Avira identify PushIran.DL apps as malicious.
Our recommendation to civil society and the Iranian diaspora media:
- Raise awareness among Iranians through different channels such as TV, radio, websites, and social media. Many victims of these attacks do not understand the impact or risks of the malware, and in some cases do not even realise that their phone is infected.
Our recommendations to users:
- Do not download any apps from unofficial app stores. Users should take time to read reviews and app descriptions before downloading any apps.
- Ensure that anti-virus software is installed on their devices, and kept up-to-date.
- Monitor all device notifications and ensure that they are legitimate. Unexpected or suspicious notifications should not be engaged with.
Domain and IP
- Command and Control servers are the central computers that are responsible for issuing directives to devices that have been previously infected with malware, and coordinating botnets. ⇆
- VirusTotal, “ir.byd.fastdiviceandro”. Accessed July 18, 2018. https://s.certfa.com/dFos6X
VirusTotal, “com.sm.antivirus”. Accessed July 18, 2018. https://s.certfa.com/pUI2hj
VirusTotal, “ir.vira_tel.dawnloader61”. Accessed July 18, 2018. https://s.certfa.com/HmHvm9
VirusTotal, “com.am.speed”. Accessed July 18, 2018. https://s.certfa.com/WpYT8q
VirusTotal, “ir.mf.antivirusm”. Accessed July 18, 2018. https://s.certfa.com/TKsFzc ⇆
- Pouya Ertebat Raman’s website. Accessed July 30, 2018. http://raaman.ir/ ⇆
- Raazgostaran Andisheh Fartak’s website. Accessed July 30, 2018. http://raaz.co/ ⇆
- Rooznameh Rasmi Keshvar (2017), Pooyan Ertebar Raman’s details. Accessed July 18, 2018. https://s.certfa.com/w7ekfs & https://s.certfa.com/wTm3wp & https://s.certfa.com/rI9a7W ⇆
- Rooznameh Rasmi Keshvar (2017), Raazgostaran Andisheh Fartak’s details. Accessed July 30, 2018. https://s.certfa.com/vZpSpW ⇆
- Cafe Bazaar, “ضد ویروس”. Accessed July 30, 2018. https://s.certfa.com/KztV5g
Cafe Bazaar, “Samaanak Smart Keyboard”. Accessed July 30, 2018. https://s.certfa.com/XUEBV5
Cafe Bazaar, “زودشارژ (شارژ سریع باطری)”. Accessed July 30, 2018. https://s.certfa.com/WmBm4e
Cafe Bazaar, “Advanced Antivirus”. Accessed July 30, 2018. https://s.certfa.com/PmLD8X ⇆
- Aria Tosewe’s Profile on Google Play. Accessed July 30, 2018. https://s.certfa.com/LLwYmD ⇆
- Renamed profile of Ali Motamedi on Google Play. Access July 30, 2018. https://s.certfa.com/TvYsGV ⇆
- Google Play, “آریاگرام ضد فیلتر و حالت روح (فوق پیشرفته)”. Accessed July 7, 2018. https://s.certfa.com/R4eeRK
Google Play, “بهینه ساز باتری هوشمند”. Accessed July 30, 2018. https://s.certfa.com/APceTq ⇆
- These three categories were defined as follows:
- Malicious: We identified these apps as containing malicious downloaders.
- Fake App: These apps did not perform the functions they claimed to, and are suspected of carrying malware.
- Suspicious: Although no malware was detected, these apps were published by the developers of other PushIran.DL apps. ⇆
- MCI stands for Mobile Telecommunication Company of Iran and it also known as Hamrahe Aval. ⇆
- TSP stands for Telecommunications Service Provider. ⇆
- Karbala and Ziyarat Ashura are related to the Battle of Karbala that took place on Muharram 10, in the year 61 AH of the Islamic calendar (October 10, 680 AD) in Karbala, which is located in Iraq. This battle is symbolic of the fight against tyranny and an important event in Shia Islam. Ziyarat Ashura is is a Shia salutatory prayer to Imam Hossein, the third Shia Imam. ⇆
- Rotbenegar, Ranking of top 10 websites in Iran. Accessed March 7, 2018. https://s.certfa.com/hAZRMW ⇆
- Pushe.co (2017), “ماجرای پوشه و آنتی ویروس!”. Accessed July 31, 2018. https://s.certfa.com/yqEPYz ⇆
- Peykasa’s website. Accessed July 25, 2018. http://peykasa.ir and http://peykasa.com/ ⇆
- The high quality of Figure 15 is available here: https://blog.certfa.com/posts/pushiran-dl-malware-family/network.jpg ⇆
- Deutsche Welle Farsi, “ارتش سایبری سپاه پاسداران یا هکرهای اجارهای”. Accessed July 14, 2018 https://s.certfa.com/9jN3HJ ⇆
- Indicator of compromise (IOC) ⇆