By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Malware Reigned Supreme In 2012
    12 months ago
    BEWARE THE THINGBOT!
    12 months ago
    Is your PC a part of botnet? Check it!
    12 months ago
    Latest News
    Beware of scammers! Dangerous apps in the App Store
    2 days ago
    How To Limit Login Attempts on WordPress (+ Should You?)
    3 days ago
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 18, 2023 to September 24, 2023)
    3 days ago
    Two privilege escalation vulnerability in Simple Membership Plugin
    4 days ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    Cloudflare Introduces User Friendly CAPTCHA Alternative Called Turnstile
    12 months ago
    Windows 10 build 19044.1947 (KB5016688) outs as preview
    12 months ago
    How to disable WiFi or Ethernet network adapter on Windows 11
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    8 months ago
    Now you can speed up any video in your browser
    8 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    9 months ago
  • How To
    How ToShow More
    Detecting zero-days before zero-day
    Detecting zero-days before zero-day
    21 hours ago
    See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
    See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
    21 hours ago
    Network performance update: Birthday Week 2023
    Network performance update: Birthday Week 2023
    21 hours ago
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    Cloudflare now uses post-quantum cryptography to talk to your origin server
    2 days ago
    Privacy-preserving measurement and machine learning
    Privacy-preserving measurement and machine learning
    2 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to search inside tar.gz file without opening it on Windows 11
    4 months ago
    How to deactivate account on Threads (Instagram)
    3 months ago
    How to configure read receipts on new Outlook app for Windows 11
    2 months ago
    Latest News
    How to enable extensions for Google Bard AI
    2 days ago
    Window 11 Copilot: 10 Best tips and tricks
    2 days ago
    How to create AI images with Cocreator on Paint for Windows 11
    3 days ago
    How to install September 2023 update with 23H2 features for Windows 11
    4 days ago
  • Glossary
  • My Bookmarks
Reading: Android.Circle ad trojan and clicker has been installed more than 700,000 times
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
MacOSThreats

Android.Circle ad trojan and clicker has been installed more than 700,000 times

Andra Smith
Last updated: 13 October
Andra Smith 12 months ago
Share
6 Min Read

Doctor Web experts have identified a multifunctional Android bot in the Google Play directory, which the attackers control using BeanShell Java interpreter scripts. Malvar combines the functionality of an advertising trojan and clicker, and can also be used to conduct phishing attacks.

The Trojan received the name Android.Circle.1 and was mainly distributed under the guise of collections of images, programs with horoscopes, applications for online dating, photo editors, games and system utilities (examples can be seen below). Specialists discovered 18 of its modifications, the total number of installations of which exceeded 700,000.

Currently, all of them have already been removed from Google Play, and the domains of control servers malvari removed from delegation.

Outwardly harmless applications performed the functions declared in the description, so users had no reason to suspect a threat in them. In addition, some of them, after installation, impersonated an important system component, which provided them with additional protection against possible removal.

Android.Circle.1 was a bot that performed various actions on the command of attackers. The bot’s functions were implemented through the Trojan’s open source library BeanShell. It is a Java code interpreter with Java-based scripting language functions and allows you to execute code on the fly. When launched, the malicious program connects to the management server, transfers information about the infected device to it, and waits for jobs to arrive.

Malware received tasks through the Firebase service. The trojan saved them in a configuration file and extracted scripts with commands from BeanShell that it then executed. Doctor Web analysts recorded the following tasks:

  • remove the Trojan application icon from the software list in the main screen menu;
  • remove the Trojan application icon and load the link specified in the command in a web browser;
  • perform a click (click) on a loaded site;
  • show banner ad.

Thus, the main purpose of this malvari is to display ads and download various sites on which the trojan imitates user actions. For example, he can follow links on sites, click on advertising banners or other interactive elements (that is, he is a clicker). Examples of advertisements are given below.

However, this is only part of the features that are available to malware. In fact, the trojan can also load and execute any code, being limited only by the available system permissions of the program in which it is built. For example, if the server issues the appropriate command, the malware will be able to download the WebView with a fraudulent or malicious site to conduct a phishing attack. At the same time, the execution of third-party code by applications hosted on Google Play is a direct violation of catalog rules.

Researchers write that Android.Circle.1 was created using the Multiple APKs engine. It allows developers to prepare and host multiple versions of a single program on Google Play to support various device models and processor architectures. Thanks to this mechanism, the size of apk files is reduced, since they contain only the necessary components for working on a particular device. At the same time, files with resources, as well as modules and application libraries, can be located in separate apk-files (the so-called split or split mechanism – Split APKs) and may or may not exist at all depending on the target device. Such auxiliary apk-files are automatically installed together with the main program package and are perceived by the operating system as a whole.

Some of the malicious functions of Malvari were taken to the native library, which is located in one of such auxiliary apk. Therefore, in fact, Multiple APKs turns into a kind of self-defense mechanism of the Trojan. If information security specialists detect only the main Android.Circle.1 package, without the rest of the apk-files (with the components necessary for analysis), studying a malicious application may be significantly difficult or even impossible.

In addition, in the event of a potential targeted attack, attackers can prepare many clean versions of the program and introduce the trojan into only one or several copies of it. Trojan modifications will be installed only on certain device models, and for other users the application will remain harmless, which will also reduce the likelihood of operational threat detection.

Although currently all detected modifications of the trojan have been removed from Google Play, experts warn that attackers can download new versions of the malware into the directory, so owners of Android devices should be careful to install unknown applications.


Translate this article

TAGGED: Android, Google Play, Malware, Phishing, PoC, Security, Software, Targeted Attack, Threat, Threats, Trojan
Andra Smith October 13, 2022 October 7, 2022
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Detecting zero-days before zero-day
Detecting zero-days before zero-day
Apps 21 hours ago
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Apps 21 hours ago
Network performance update: Birthday Week 2023
Network performance update: Birthday Week 2023
Apps 21 hours ago
Cloudflare now uses post-quantum cryptography to talk to your origin server
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps 2 days ago
Privacy-preserving measurement and machine learning
Privacy-preserving measurement and machine learning
Apps 2 days ago

You Might Also Like

Detecting zero-days before zero-day
Apps

Detecting zero-days before zero-day

21 hours ago
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Apps

See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan

21 hours ago
Cloudflare now uses post-quantum cryptography to talk to your origin server
Apps

Cloudflare now uses post-quantum cryptography to talk to your origin server

2 days ago
Privacy-preserving measurement and machine learning
Apps

Privacy-preserving measurement and machine learning

2 days ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
How to install September 2023 update with 23H2 features for Windows 11
How to get the latest Windows 11 innovations
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
PHP Object Injection Vulnerability in Flatsome Theme

10 New Stories

Encrypted Client Hello – the last puzzle piece to privacy
Beware of scammers! Dangerous apps in the App Store
How to enable extensions for Google Bard AI
Reminder: Enable two-factor authentication wherever you have it. This business
​​Know exactly when your data is transferred to GoogleIn a world where our data is permanent
​​Fake correspondence with the iPhone interfaceIn a world where digital communication is
Previous Next
Hot News
Detecting zero-days before zero-day
See what threats are lurking in your Office 365 with Cloudflare Email Retro Scan
Network performance update: Birthday Week 2023
Cloudflare now uses post-quantum cryptography to talk to your origin server
Privacy-preserving measurement and machine learning
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?