Android.Circle.1 Trojan on Google Play with 18 modifications

The most trusted source for download on the mobile OS platform , Google Play has now been caught for cataloguing some of the applications that contain trojan – a program that perform some malicious actions on your device without you consent . Cybersecurity analysts from Doctor Web virus have come across some of the applications that contains trojan which is programmed to work as an android bot Android.Circle.1 to perform their malicious tasks .

The multifunctional bot , Andorid.Circle.1 , gains the trust of people by hiding under the name of some harmless applications . These harmless applications are under the category of images, programs with horoscopes, applications for online dating, photo editors, games and system utilities on Google Play which has over 18 modifications and over 700,000 downloads as commented by experts from Doctor Web virus . Android.Circle.1 is programmed in android based Kotlin language and is created using Multiple APK mechanism to support it in a variety of devices. Some examples of applications are as follows :

HOW THIS TROJAN OPERATES ?

The trojan embedded in these applications implements a mechanism and divides the main apk into several apk files as some of the malicious function performed by Android.Circle.1 are taken from the library libnative-lib.so which is located in one of such auxiliary divided APKs but the android OS is not able to recognize these multiple APKs and thus perceives the collection as a single application . Thus , Multiple APK mechanism acts a self defense mechanism for this trojan .

On successfully installing, the trojan communicates with the Control and Commanding ( C&C ) server via secure HTTPS with additionally encrypted AES algorithm. The trojan modifies itself and disguise under a standard android application in the list of installed programs and presented with name com.google.security .

The first task performed by the trojan that it sends the below information to the server :

packages – list of installed applications;
device_vendor – device manufacturer;
sRooted – root access;
install_referrer – information about the link where the application was installed;
version_name – a constant with a value of “1.0”;
app_version – a constant with a value of “31”;
google_id – user identifier in Google services;
device_model – device model;
device_name – device name;
push_token – Firebase identifier;
udid – unique identifier;
os_version – version of the operating system;
sim_provider – mobile operator.

After sending this information , the trojan expects some commands in the form of messages from the Firebase Cloud Messaging Service . The server replies some BeanShell scripts commands and these instructions are saved in prefs.xml configuration file . These BeanShell Scripts are executed with the help of libnative-lib.so open source library built into the trojan which a Java code interpreter and allows to execute Java-based code . Some of the tasks performed by the bot is as follows :

remove the Trojan application icon from the software list in the main screen menu;
remove the Trojan application icon and load the link specified in the command in a web browser;
perform a click (click) on a loaded site;
show banner ad.

Thus from the above tasks , displaying ads and forcing user to fall in the trap of attack , are the main intention of the attacker . Through ads , the attacker will be able to download the some malicious websites for phishing attacks though it is illegal to execute any third party code according terms and conditions of Google Play . The trojan displays ads as :

Despite these basic function , the bot can also load and execute any code based on the instruction that it received from the server but it is restricted by device configuration . There are some of the indicators or some applcations of this trojan network :

com.app.bestwallblack
com.aboutlife.futureviewer
com.horoscopelife.zodiac2020
com.wallypi.pepers
com.daily.astrologyhoro
com.findyou.lifehistory
com.lovs.datter
com.hdwallpaper.beautywalls
com.batterybooster.speedup
com.relationship.horolove
com.wallypi.peperspro
com.imagerepair.cartooneffectpro
com.hdwallpaper.beautywallspro
com.daily.astrologyhoropro
com.imagerepair.cartooneffect
com.bubbleup.gamepop
com.mydatter.loves
com.wallpapershop.livepaper

CONCLUSION

Though all the detected modifications of the Android.Circle.1 have been removed form the Google Play , there are chances that attackers can place new versions to it .

Scan the application with the help of antivirus before installing it .
Do not click on the third party links in the installed apps or enter any sensitive information on that link .
Do not click on the ads displayed in the app .

RSU

RSU is security researcher who is constantly working to make world a secure place to live. He is working day and night in Cyber Security area.

Android.Circle.1 Trojan on Google Play with 18 modifications

HOW THIS TROJAN OPERATES ?

CONCLUSION

Critical Vulnerabilities in Cisco ASA & FTD Exposed! Learn How to Exploit CVE-2024-20353 and CVE-2024-20359

Dual Vulnerabilities in Microsoft SharePoint Server: Essential Steps to Mitigate Vulnerabilities

Exploiting the High-Risk Vulnerabilities in Secure Boot of Most Linux Devices on the Planet

Hackers’ New Target is containerized environments through vulnerabilities in runC

Hacking Android, Linux, macOS, iOS, Windows Devices via Bluetooth using a single vulnerability

Healthcare Hack Horror: Cyberattacks Leave French Hospitals in Chaos for $10 Million

Hacking the Unhackable: The Story of How CISA Was Breached

The Cloudflare Hack: A Hacker, 5000 Credentials, and Operation Code Red

Hijacked Data:LockBit Ransomware Gang Targets Aerospace Giant Boeing

Timeless Targets: After Casio, Seiko Group hacked again by Ransomware gang

Unlocked Doors: The Inside Story of Casio’s Global Data Breach!

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Google Gemini Under Fire: Critical Security Vulnerabilities You Need to Know to hack Gemini

Cracking SCCM Wide Open: Pentesting System Center Configuration Manager with Misconfiguration Manager

Hacking Windows 10 and 11 with DLL Search Order Hijacking without administrator rights

Hacking SSH Connections by exploiting SSH Protocol Vulnerabilities: Different Terrapin Attack Vectors

Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory

Hacking Bluetooth via MiTM: The BLUFFS Bluetooth attack to hack into Millions of Devices

6 Steps to File Anonymous SEC Complaints Against Data Breachers & Force Them to Pay Fines or Take Action

Inside the Exploit: How Your ChatGPT’s Uploaded Files Could Be Stolen by Prompt Injection Vulnerability

This Google Calendar technique allows to hack into companies without getting detected

This telegram bot is like ChatGPT for scammers to steal money from victims easily

How easy is to bomb someone mobile phone with thousands of SMS messages?

This new DDoS attack prevention technique has a 99% accuracy rate

How to secure Cisco Firepower Threat Defense (FTD) firewalls ?

How to use AWS SSM agent as backdoor and hack into EC2 instances?

New tool FraudGPT allows scamming and easy hacking of victims using AI

The Dark Side of PDFs: How Opening a Simple PDF Could Unleash a Cybersecurity Nightmare

Largest soft drink bottle supplier, recycle and plastic manufacturers hacked by ransomware

Visited thesaurus.com in search for Synonyms? You have Coinminer malware infection

How to send malware via Teams, even “Safe Attachments” or “Safe Links” can’t protect you

2 Big Cloud hosting companies shutdown by ransomware and lose all customer data