Doctor Web experts have identified a multifunctional Android bot in the Google Play directory, which the attackers control using BeanShell Java interpreter scripts. Malvar combines the functionality of an advertising trojan and clicker, and can also be used to conduct phishing attacks.
The Trojan received the name Android.Circle.1 and was mainly distributed under the guise of collections of images, programs with horoscopes, applications for online dating, photo editors, games and system utilities (examples can be seen below). Specialists discovered 18 of its modifications, the total number of installations of which exceeded 700,000.
Currently, all of them have already been removed from Google Play, and the domains of control servers malvari removed from delegation.
Outwardly harmless applications performed the functions declared in the description, so users had no reason to suspect a threat in them. In addition, some of them, after installation, impersonated an important system component, which provided them with additional protection against possible removal.
Android.Circle.1 was a bot that performed various actions on the command of attackers. The bot’s functions were implemented through the Trojan’s open source library BeanShell. It is a Java code interpreter with Java-based scripting language functions and allows you to execute code on the fly. When launched, the malicious program connects to the management server, transfers information about the infected device to it, and waits for jobs to arrive.
Malware received tasks through the Firebase service. The trojan saved them in a configuration file and extracted scripts with commands from BeanShell that it then executed. Doctor Web analysts recorded the following tasks:
- remove the Trojan application icon from the software list in the main screen menu;
- remove the Trojan application icon and load the link specified in the command in a web browser;
- perform a click (click) on a loaded site;
- show banner ad.
Thus, the main purpose of this malvari is to display ads and download various sites on which the trojan imitates user actions. For example, he can follow links on sites, click on advertising banners or other interactive elements (that is, he is a clicker). Examples of advertisements are given below.
However, this is only part of the features that are available to malware. In fact, the trojan can also load and execute any code, being limited only by the available system permissions of the program in which it is built. For example, if the server issues the appropriate command, the malware will be able to download the WebView with a fraudulent or malicious site to conduct a phishing attack. At the same time, the execution of third-party code by applications hosted on Google Play is a direct violation of catalog rules.
Researchers write that Android.Circle.1 was created using the Multiple APKs engine. It allows developers to prepare and host multiple versions of a single program on Google Play to support various device models and processor architectures. Thanks to this mechanism, the size of apk files is reduced, since they contain only the necessary components for working on a particular device. At the same time, files with resources, as well as modules and application libraries, can be located in separate apk-files (the so-called split or split mechanism – Split APKs) and may or may not exist at all depending on the target device. Such auxiliary apk-files are automatically installed together with the main program package and are perceived by the operating system as a whole.
Some of the malicious functions of Malvari were taken to the native library, which is located in one of such auxiliary apk. Therefore, in fact, Multiple APKs turns into a kind of self-defense mechanism of the Trojan. If information security specialists detect only the main Android.Circle.1 package, without the rest of the apk-files (with the components necessary for analysis), studying a malicious application may be significantly difficult or even impossible.
In addition, in the event of a potential targeted attack, attackers can prepare many clean versions of the program and introduce the trojan into only one or several copies of it. Trojan modifications will be installed only on certain device models, and for other users the application will remain harmless, which will also reduce the likelihood of operational threat detection.
Although currently all detected modifications of the trojan have been removed from Google Play, experts warn that attackers can download new versions of the malware into the directory, so owners of Android devices should be careful to install unknown applications.