Hackers Are Infecting Android Devices and Iranians Don’t Even Know It

Amin Sabeti
4 min readSep 2, 2018


The botnet of fraudulent advertising in Iran (Certfa)

Iran is no stranger to the global digital security community. This week, cybersecurity firm FireEye released a report about a network of Iranian accounts and groups on social media platforms attempting to manipulate users and also hack their accounts. Though big stories like this tend to focus on Iranian cyber attacks against Western government interests and infrastructure, these networks of hackers are also causing major trouble for Iranian citizens as well.

Certfa, a digital security firm focusing on Iranian cyber threats, recently discovered a new range of criminal activities by Iranian hackers, which is costing Iran’s citizens millions of dollars each year. Their latest scheme is PushIran.DL, a malware that allows fraudulent ads to pop-up on Android devices, the most popular mobile device used by Iranians. According to Certfa’s investigation, over 1.3 million Android devices are infected with PushIran.DL, although it’s believed that up to 10 million devices may be infected.

PushIran.DL was developed by Raman and Raaz, two registered companies in Iran that have published at least 220 different Android apps. Some of their popular apps include: Super Mario, Smart Antivirus AppLock, My File Management, and XoXo Girl Game. The main money-making feature of PushIran.DL works through Value-Added Services (VAS), a service that provides mobile advertisements among other things to online businesses.

When PushIran.DL developers signed agreements with companies and VAS providers, they added text message-based activation to their apps, which abused the service by providing uninformed consent to users or not offering consent at all. As a result, Iranian users pay daily fees of 2,000 to 4,000 Iranian rials (0.04 to 0.09 US cents) on their monthly mobile phone bills — money that ends up in cyber criminals’ bank accounts.

According to Certfa’s investigation, businesses that have agreements with telecommunication companies receive an approximate sum of 1.17 billion Iranian rials ($25,570) per day through VAS just from ten malicious apps alone.

Apart from making revenue from VAS, developers have been using PushIran.DL to offer the following services to businesses: Install Android apps on users’ devices without their permission; Share targeted notifications based on users’ operator, location, age, gender and device model; Increase Instagram and Telegram post views by automatically opening Instagram pages or Telegram channels on infected devices; Display commercial pop-ups to infected devices; Clickjack to increase the views of different websites, by forcing users to visit websites or load websites in the background of infected devices without user consent; Redirect users to various web pages including VAS websites.

PushIran.DL has been using seven different methods to infect Iranian Android devices. These methods allow hackers to create different networks that can feed back into each other. For example, a developer can send a command to ask its malicious app — which the user has already installed on his/her device — to start downloading another malicious app with its own functionalities.

Given that PushIran.DL has tens of thousands of users, the total number of unwilling installations of these second wave malicious apps on Android markets such as Google Play and Cafe Bazaar — an Iranian app store — can increase rapidly, and on some occasions they have appeared in the top trending section. Consequently, these apps are then able to infect new devices, which allows developers of PushIran.DL to easily distribute new versions of malicious apps at an exponential rate.

But that’s not all. Iranian intelligence services can use these malicious apps to conduct large-scale surveillance operations. This isn’t unprecedented since Iranian intelligence has collaborated in the past with well-known hackers to target dissidents and activists inside and outside the country.

The Iranian intelligence services work above the law, but the developers and companies behind PushIran.DL don’t. Online fraud and holding unauthorised access to users’ data is illegal according to Iranian computer crimes law. Therefore, the patrons of PushIran.DL could be sentenced up to five years in prison for these offences. Despite Certfa bringing attention to the malware, the Iranian Ministry of Information and Communications Technology and Iran’s Computer Emergency Response Team haven’t addressed the problem.

Though Iranian authorities haven’t taken any action against PushIran.DL or its developers, there are several ways to mitigate the risks posed by this malware. Policymakers and tech companies such as Google should push Google Play to take down these apps. Currently, Google Play is a playground for Iranian hackers, who can freely upload their malicious apps to the online store with little or no ramifications. Similarly, only some anti-virus software companies are able to identify PushIran.DL’s signature. There needs to be a greater push for all companies to update their software to not just identify PushIran.DL, but other Iranian-made malware as well.

It’s also important for civil society and Iranian diaspora media outlets to raise public awareness inside Iran about the threat of malware through traditional and social media. Most victims of these cyber crimes are completely oblivious about the risks posed by malware, and in some cases don’t even realise that their mobile phone is infected.

Now that PushIran.DL intentions are known, it’s up to civil society and tech companies to take action before this malware spreads, infecting all Iranian Android devices.

Read CERTFA’s comprehensive report on PushIran.DL.

This article was initially published on Atlantic Council. Amin Sabeti is the founder of Certfa, a digital security team with far-ranging expertise in the resolution of cybersecurity threats in Iran. He is a regular commentator on Persian and English media outlets about internet freedom and digital security in Iran. Follow him on Twitter: @AminSabeti.



Amin Sabeti

Founder @Certfalab , Digital Security Expert, #Iran’s Internet Expert, Hacker Hunter🕵️