vpnMentor has teamed up with cybersecurity firmClearSkyto release this report.
ClearSky conducted an investigation that revealedmalicious Android software calledIr.ops.breacker, which imitated the popular VPN app,Psiphon.
The following is a close look at how this malware impersonates Psiphon and spreads.
When the user installs this fake VPN,the app asks for permission to enter the users phone.
Below is the list of permissions requested by the app.
The app also requests access to the users contact list.
When the user attempts to bring up the app,he is requested to connect to the internet.
He then receives an oops message and is requested to connect again.
A message then appears saying the app was deleted from the gear.
However, in reality,the app is still there and running in the background.
]Ir and onesignal[.]com.
When we scanned the apk file on VirusTotal, only six antivirus services flagged it.
(A recent rescan showed that now 23 engines detect it as a virus.)
Specifically, we found that the php page http://elicharge[.]/Ir/mp20ibest[.
]php is suspicious.
As you could see, when we scanned this file,only Avira identified it as a virus.
]Net
Using Whoiswe traced the email of the person who registered the domain name apd_1379@yahoo.com.
We found five more domains associated with this email address, including elipay[.
]net and hamzad[.
]net (which is mostly likely connected to the server hamzadserver[.]net).
An additional domain was opened by the email address apd_1379@yahoo.com.
We dont know exactly who is sending out these text messages.
However, we do know that this malware is very sophisticated.
In recent months we identified an increase of Iranian social engineering campaigns.
vpnMentor Our site evaluates over 300 VPNs on the market.
It allows users to rate each of the VPNs, differentiating the good ones from the bad.
just, comment on how to improve this article.
