By Leandro Rocha

VpnMentor and ClearSky announced, on 20th March, details of a espionage campaign against Iranian citizens. The malware used in this campaign infects Android users through a fake version of a VPN application called Psiphon.

After protests against the economic instability and censorship of the Iranian government in December 2017, Hassan Rouhani’s government, in an attempt to prevent protesters from organizing and amplifying the protests, restricted the use of the Internet in the country by blocking popular websites and social media applications like Twitter and Telegram.

Faced with this scenario, many citizens sought new means of access in order to bypass restrictions imposed by the government; one of the alternatives found was the use of the Psiphon application — an open source software that, through VPN (Virtual Private Network), allowed access to blocked and censored sites and services.

During the protests occurred in December, the developer of the Psiphon application, Irv Simpson, said to Motherboard: “(…) Psiphon saw unprecedented app downloads and usage across our network from all platforms in Iran”.

According to Simpson, average downloads on all platforms (Android, Windows, and iOS) were 40,000 downloads per day; during protests in Iran, this number rose to 70,000 downloads. The developer estimated that, in the same period, the number of the application users in Iran reached 10 million.

In January of this year, ClearSky received complaints from Iranian citizens who were receiving suspicious text messages offering a VPN application to unlock access to Telegram. After investigations, ClearSky discovered that the application was a malicious software for Android, called “Ir.ops.breacker”, which used visual characteristics (name and logo) similar to those of the Psiphon VPN application to encourage victims to download malware.

The message received by the Iranians said: “Hello — download this VPN in order to easily connect to Telegram”. The message also included a link to download the fake application.

When it is installed, malicious software requests access permissions to various resources of the victim’s phone, which are used to spy on users’ activities, establish communication between the malware and the command and control server (C&C) as well as to spread the malicious application.

In order to propagate, the malware uses access granted to the device’s contact list and sends SMS to spread hidden text messages with malicious content to all user contacts.

When the user opens the malicious application for the first time, the victim receives an error message requesting to close the application and reopen it again; then, when the victim reopens the app, it receives another error message saying that the app was not installed properly and needs to be reinstalled through the Google Play Store. A third message appears informing the user that the application has been deleted from the device; however, the malicious application remains running in the background.

The companies involved in the investigation did not find out who the threat actor responsible for this campaign was; however, they considered the malware very sophisticated.

Currently, 23 antivirus engines detect the malware. At the beginning of the research, though, only six were able to identify it, which reinforces the care that all users must take with messages recommending the installation of applications, even when the name of the application is known and the message comes from a reliable source.

For companies, it is crucial to emphasize the importance of awareness and education among users against the most diverse types of malicious messages, which include, in addition to traditional phishing, also the smishing (phishing SMS), a technique used in this espionage campaign.