Released in July Android update (levels 2019-07-01 and 2019-07-05) brought patches for 33 vulnerabilities in…
After start, the malware requests access to several important system permissions that allow it to collect sensitive information and work with the file system. In addition, it is trying to get access to display screen forms on top of the interface of other programs:
In the window of the malicious application, there is a button to “check” for OpenGL ES updates. After clicking it, the Trojan simulates the process of searching for new versions of OpenGL ES, but in fact, of course, it doesn’t perform any checks and only misleads the user.
After the victim closes the application window, the backdoor hides its icon from the main screen and creates a shortcut for its launch. This is done, in order to make it harder for the user to remove the malware, since deleting the shortcut will not affect the malware itself.
The backdoor is constantly active in the background and can be launched not only through an icon or shortcut, but also automatically with the system startup and at by command of attackers via Firebase Cloud Messaging.
The main malicious functionality of the Trojan is hidden in an auxiliary file that is encrypted and stored in the directory with the program resources. It is decrypted and loaded into memory every time it starts. The backdoor communicates with several management servers (http: //wand.gasharo********.com, http: //heal.lanceb********.com), from where it receives commands and where it is sent collected data.
Read also: July patches for Android fixing a number of critical RCE bugs
Malware can perform the following actions:
All data transmitted to the server is encrypted using the AES algorithm. Each request is protected by a unique key. This key is generated basing on the current time. The same key encrypts the server response.
Researchers write that the Trojan is able to install applications in several ways at once:
“As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers, Android.Backdoor.736.origin can download and launch an exploit to obtain root privileges. It will then no longer need the user’s permission to install other programs”, — report Doctor Web specialists.
All data transmitted to the server encrypted using the AES algorithm. A unique key protects each request. These keys generated basing on the current time. The same key encrypts the server response.
Researchers write that the Trojan is able to install applications in several ways at once:
Streamingsafevpn.com is a site that tries to force you into subscribing to its browser notifications…
Psegeevalrat.net is a site that tries to trick you into subscribing to its browser notifications…
Thi-tl-310-a.buzz is a site that tries to force you into clik to its browser notifications…
Toreffirmading.com is a domain that tries to force you into subscribing to its browser notifications…
News-xboveho.site is a domain that tries to force you into subscribing to its browser notifications…
Glayingly.com is a site that tries to trick you into subscribing to its browser notifications…
View Comments
[…] The Trojan received the name Android.Circle.1 and was mainly distributed under the guise of collections of images, programs with horoscopes, applications for online dating, photo editors, games and system utilities (examples can be seen below). However, we told you that some Android malware could even pretend to be an update for OpenGL ES. […]