5 February 2018

How Spyware and Click-fraud can put millions of users at risk

Background

During our initial forensic investigation of the distribution of fake Android applications in Iran in January 2018, we identified the actor “APD” with the e-mail apd_1379@yahoo.com to be the developer behind the fake application “psiphon6”.

The application that was distributed via SMS phishing messages included “click fraud” and “spyware capabilities”. Once the victims have installed the fake application, the infected mobile devices are remotely controlled using two mobile notification services, namely: pushe.co and onesignal.com.

A first analysis of the code showed that the application helps to increase the visibility of certain content in Telegram and Instagram by remotely controlling the botnet of compromised mobile phones. The fake Psiphon6 App can also hijack Telegram accounts, bypass two-factor authentication, steal SMS, retrieve phone contacts and track the location of the device.

Our initial report pointed out that the developer of the malware is likely to be “APD” aka “Amir Parsa Dehfuli”, a consultant of “Digital Marketing” company Ad Venture. Ad-venture.ir is a start-up company with focus on Telegram campaigns, that currently is using the Twitter account @telegrampreneur.

Alireza Agashi, CEO of Ad-venture.ir participated in the “Digital Marketing Conference” (dmconf.ir) in November 2017 with focus on the amazing opportunities that Telegram has for digital advertisement.

When the founders of Ad-venture (Mohammad Reza Niayi and Alireza Agashi) were asked about the relationship between their company and “APD”, they acknowledged that “APD” helped them with the design of their website using the temporary domain ad-venture.ml. According to their statements, despite the fact tat Ad-venture.ml shared development infrastructure with the server that distributed the malware (serverclient12.tk), “APD” acted simply as a consultant for the company and all malware related activities were not connected with their company.

When asked about the period of time that “APD” was collaborating with Ad-venture, Alireza Agashi stopped providing information and asked us to contact the developer directly. Despite numerous attempts to reach out to “APD”, no response has been received.

Who is APD?

Thanks to the early work of @hooshmandk published in AmadNews (Jan 12, 2018), APD found out that he was the main suspect of distributing the psiphon6 malware and deleted his Linkedin account that included the current work description “Iran – BI Consultant – Ad-Venture”.

Despite his effort to delete all digital traces, this is what we know of “APD”.

Apd_1379 is using the name Amir Parsa Dehfuli from at least 2015 and has used the e-mails
- apd_1379@yahoo.com
- apd13791@gmail.com
- parasdehfuli@hotmail.com
- apd1379@gmail.com
- riliufeapd@gmail.com (?)
In 2015, he was already active selling training materials in how to do Telegram bots from the websites cocbsell.ir and www.cocbsell.loxblog.com

TRANSLATION
Training for creating a Telegram bot:

 1. Sending unlimited messages to the bot users.
 2. Server with good performance and no downtime .
 3. Ability to check the total quantity of users and the channels that bot has been invited to.
 4. Creating special keyboard. <----
 5. Sending your website's feed automatically.
 6. Web control panel.
 7. Connecting to the control panel via mobile devices and windows. "

ADP shows interest in online games as “Clash of Clans” and has advertised accounts of this game for sale. He has registered the domains clashtour.ir and runs the Telegram channel clashstore

His Facebook profile is: https://www.facebook.com/parsa.dehfuli.9 using the mail parsadehfuli@hotmail.com
(Yes, that picture with the Googles was a great hint!)

His Skype account with mail parsadehfuli@hotmail.com used the nick apd1379

His (deleted) Linked In Profile shows “BI Consultant Ad-Venture” http://www.linkedin.com/in/amirparsa-dehfuli-a56b1b152

Since November 2017, he has used the nicks: namazhe and inamazh to promote himself as “Digital Marketing Solution Finder” and “Business Intelligence Consultant”. Twitter handle: https://twitter.com/iNamazh apd1379@gmail.com

How close is “APD” with Ad-venture.ir?

Despite that Ad-venture wants to put some distance between them and “APD”, social media activities reveal communication between the actors in December 2017 and early January 2018. Both Ad-venture’s founders are followers of “APDs” Twitter channel @inamazh (13 followers).

Our understanding, later confirmed by Ad-venture’s CEO, is that “APD” was working on their new website in a development environment using the domain ad-venture.ml until late November 2017, which a few weeks later went live as ad-venture.ir. Up until today, Ad-Venture keeps their company LinkedIn page with the .ml domain.

In one of the two pictures that the company’s co-founder Mohammad Reza Niayi has in his Google+ account, we can see “APD” present in what seems to be a company staff meeting. One interesting fact is that APD registered his domain namazhe.net, the “Digital Marketing Solution Finder”, the same week that Ad-venture.ir went live.

Ad-venture team meeting with a familiar face wearing “google” glasses. Recent instagram picture of Ad-venture staff including “amir parsa am”

The Digital Marketing Solution Finder

The forensic evidence collected explains the obvious resistance of Ad-venture to provide more specific details about this case and that the company is in fact well aware of the malicious mechanisms used to increase “traffic views” exploited by “APD”.

Compromising mobile phones to run “digital marketing campaigns” seems to be an effective method to drive fake traffic to advertisers but might not be considered good by the victims that get their privacy compromised. Psiphon6 is not just a “click” hijacker but contains functionality to retrieve personal data from the victims.

A careful review of this diagram in Ad-venture.ir website shows that the file is named “bot chart” 🙂

Is the fake psiphon6 app distributed in January still active?

Despite multiple messages exchanged with Ad-venture and the mails sent to “APD”, we could not obtain a clear explanation of the events. We wanted to know if the malware was still active and if they have stopped their activities. So this is what we did.

In order to understand what the software is trying to achieve, we reverse-engineered the Android application and wrote our own Android application that listens to all commands coming from the notification service. In this way, we have been able to record each of the commands that have been sent to our phone.

The result is that despite all the e-mails exchange, the malware remains active. The attacker is no longer using the pushe.co notification channel (the account might be suspended) but using a fallback notification channel from “onesignal.com” to control the botnet of the compromised phones.

At the time of writing, we have recorded 2-5 push notifications per day, each of them containing 12 different post messages. Each of them, forces the mobile “zoombies” to load specific content from seven different Telegram channels during three seconds:

asrtarfand
bazarapp_ir
hamechiitamommm
apkcenter
allllllooooppp
App_Store
maebodgahashghan

Number of requests sent by our “compromised” phone to the seven Telegram channels during the period Jan 30 – Feb 3.

Are the “other Apps” announced to compromised devices also risky?

Many of the postings include references to other fake APK with similar backdoors. For example the post https://t.me/bazarapp_ir/4467 points to a fake clone “com.panel.keyboard” of the app “ir.samaanak.keyboard”. The cloned and modified App contains a backdoor.

Judging by this picture found in the commented code of ad-venture.ir website, APD’s glasses are “somehow” something that makes this team of “advertisers” unique!

Conclusions

There are lots of lessons learned from this case. Let us list a few:

There is a myriad of Telegram forks in Iran and many of them are not safe for end users. Pavel Durov is already aware that something needs to be done about it.
The mobile push notification services (PNS) in Mobile applications open a flexible mechanism to build command and control mechanisms in Mobile botnets. If you want to learn more about the “Punobots”, do not miss this paper and this one.
Engaging in “Click Fraud” is a bad thing, but also adding malware with spy-type capabilities is much worse and can jeopardize the personal safety of Iranian activists, LGBT organizations and other dissidents.

Full log of the recorded push events apd_psiphon6

5,"{
""a9_u"": ""1"", <--- A9, let us create some fake traffic using built in WebView
""a9_u15"": ""https://t.me/hamechiitamommm/1157"",
""a9_u13"": ""https://t.me/hamechiitamommm/1158"",
""a9_u14"": ""https://t.me/hamechiitamommm/1159"",
""a9_u4"": ""https://t.me/asrtarfand/1222"",
""a9_u5"": ""https://t.me/asrtarfand/1223"",
""a9_u2"": ""0"",
""a9_u3"": ""3000"", <--- Maximum time to handle this push task
""a9"": ""12"", <--- Number of POST TO load
""a9_u11"": ""https://t.me/bazarapp_ir/4469"",
""a9_u8"": ""https://t.me/bazarapp_ir/4466"",
""a9_u12"": ""https://t.me/hamechiitamommm/1157"",
""a9_u9"": ""https://t.me/bazarapp_ir/4467"", <--- Increasing "Views" in a fake APP 
""a9_u6"": ""https://t.me/asrtarfand/1224"",
""a9_u10"": ""https://t.me/bazarapp_ir/4468"",
""a9_u7"": ""https://t.me/asrtarfand/1225""
}",1517390888486,ONESIGNAL <--- Push notification received via onesignal.com

Example of the variants of Telegram that fake ir.samaanak.keyboard targets

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.