Android.Circle ad trojan and clicker was installed more than 700,000 times

Information security experts have identified a multifunctional Android bot in the Google Play directory, which attackers control using BeanShell scripts. An adware trojan and clicker called Android.Circle has been installed by users more than 700,000 times.

The Trojan received the name Android.Circle.1 and was mainly distributed under the guise of collections of images, programs with horoscopes, applications for online dating, photo editors, games and system utilities (examples can be seen below). However, we told you that some Android malware could even pretend to be an update for OpenGL ES.

Specialists discovered 18 modifications of Android.Circle, the total number of installations of which exceeded 700,000.

Currently, all of them have already been removed from Google Play, and the domains of control servers of the malware were removed from delegation.

“Outwardly harmless applications performed the functions declared in the description, so users had no reason to suspect a threat in them. In addition, some of them pretended to be important system components after installation, which provided them with additional protection against possible removal”, – say Dr.Web experts.

Android.Circle.1 was a bot that performed various actions on the command of attackers. The bot’s functions were implemented through the Trojan’s open source library BeanShell. It is a Java code interpreter with Java-based scripting language functions, which allows immediate code execution. After launching, the malicious program connects to the management server, transfers information about the infected device to it, and waits for the first tasks.

Malware received tasks through the Firebase service. The trojan saved them in a configuration file and extracted scripts with commands from BeanShell that it then executed. Doctor Web analysts recorded the following tasks:

• remove the Trojan application icon from the software list in the main screen menu;
• remove the Trojan application icon and load the link specified in the command in a web browser;
• click (click) on the downloaded site;
• show banner ad.

Thus, the main purpose of this malware is to display ads and download various sites on which the trojan imitates user actions.

For example, he can follow links on sites, click on advertising banners or other interactive elements (that is, he is a clicker). Examples of advertisements are given below.

However, this is only part of the skills that are available to malware.

“In fact, the trojan can also download and execute any code, being limited only by the available system permissions of the program in which it is built. For example, if the server issues the appropriate command, the malware will be able to download the WebView with a fraudulent or malicious site to conduct a phishing attack. However, the execution of third-party code by applications hosted on Google Play is a direct violation of the catalog rules”, – write the researchers.

Researchers write that Android.Circle.1 was created using the Multiple APKs engine. It allows developers to prepare and host multiple versions of a single program on Google Play to support various device models and processor architectures. Due to this mechanism, the size of apk files is reduced, since they contain only the necessary components for working on a particular device.

At the same time, files with resources, as well as modules and application libraries, can be located in separate apk-files (the so-called split or split mechanism – Split APKs) and may or may not exist at all depending on the target device. Such auxiliary apk-files are automatically installed together with the main program package and are perceived by the operating system as a single whole.

Some of the malicious functions of malware were taken to the native library, which is located in one of such auxiliary apk. Therefore, in fact, Multiple APKs turns into a kind of self-defense mechanism of the Trojan.

“If information security specialists find only the main Android.Circle.1 package, without the rest of the apk-files (with the components necessary for analysis), studying a malicious application can be quite difficult or completely impossible”, – inform information security specialists.

This is not the first tricky trojan that we are talking about, for example, evaluate a malware, the authors of which advertised it on the Internet and openly scoffed at anti-virus developers that they are not able to catch the trojan.

In addition, in case of a potential targeted attack, attackers can prepare many “clean” versions of the program and introduce the trojan into only one or several copies of it. Trojan modifications will be installed only on certain models of the device, and for other users the application will remain harmless, which will also reduce the likelihood of operational threat detection.

Although currently all detected modifications of the trojan have been removed from Google Play, experts warn that attackers can download new versions of the malware into the directory, so owners of Android devices should be careful to install unknown applications.