My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2019-08-09

Virus description added:

Android.Click.312.origin is a trojan module that can be embedded in Android applications by developers. It was first found in software distributed on Google Play. So as not to raise suspicion, the module starts working only 8 hours after launching in programs containing it.

We also know modifications of this trojan, such as Android.Click.313.origin.

After startup, Android.Click.312.origin connects to the command and control server at https://alb.bear****.com/service/find?token=, and sends it a POST request with the following information about the mobile device:

  • manufacturer and model;
  • operating system version;
  • user’s country of residence and the default system language;
  • User-Agent identifier;
  • mobile carrier;
  • Internet connection type;
  • display parameters;
  • time zone;
  • data on the application containing trojan.

In response, the trojan receives certain settings. See below the example:

"da": [
"eb_167": {
"fa": 4133,
"fb": 5005,
"fc": [
"ga": 4449,
"aa": "",
"ab": "",
"ac": "1",
"ad": "1",
"ae": "1",
"af": "1",
"ag": "1",
"ah": "1",
"ba": "EwQGCBIVBBMzBAIECBcEEw==", // "registerReceiver"
"bc": "EQACCgAGBA==", // "package"
"bd": "EwQGCBIVBBMiDg8VBA8VLgMSBBMXBBM=", // "registerContentObserver"
"be": "Ag4PFQQPFVtOTgUOFg8NDgAFEg==", // "content://downloads"
"bf": "EBQEExg=", // "query"
"bi": "AA8FEw4IBU8PBBVPNBMI", // ""
"bv": "Ag4MTwAPBRMOCAVPFwQPBQgPBk8oLzI1IC0tPjMkJyQzMyQz", //
"bu": "EgQPBSMTDgAFAgASFQ==", // "sendBroadcast"
"bk": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFScIDRUEEw==", // "android.content.IntentFilter"
"bl": "AA8FEw4IBU8CDg8VBA8VTyIODxUEGRU=", // "android.content.Context"
"bm": "AAUFIAIVCA4P", // "addAction"
"bn": "AAUFJQAVADICCQQMBA==", // "addDataScheme"
"bo": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFQ==", // "android.content.Intent"
"bp": "EgQVIAIVCA4P", // "setAction"
Config example
 "bq": "EgQVMQACCgAGBA==", // "setPackage"
"br": "EgQVJw0ABhI=", // "setFlags"
"bs": "ERQVJBkVEwA=", // "putExtra"
"bt": "EwQHBBMTBBM=", // "referrer"
"wa": "1",
"ccl": "41C2B18562FD214249F03464D37649C7", // "20"
"bw": "D7F2C05AB2907B2C482619385C680FA73821062F2A2B55F36650478C6CA74F68", //
"bx": "B6AEAB1DECBFF6A631E3D801E5D0D1E9D700630581E1DA2E7CB145C4CF0D6296", //
"by": "685016505AA49714487A44282E5E7F0F", // "getData"
"bz": "DF52208D68AA2DA7EC3ED2071CC2D5FF5809F7419409F3DA6B135E829B8D748C", //
"cca": "09BC5F0AC4B69BC951614AC6B5C9B22A", // "getPathSegments"
"ccb": "5DF882205437BB8B994E3BA129EC4643BAFB835F72C85714E5A8EE859ABDEABC", //
"ccc": "DF1FF1B64CF8D85CB878B425DC302D4290CE6A7FB993F4DEE7570F8B4C4D416A", //
"ccd": "64E9CFE7A1BB7433868B1894A10627C44A51E307ECEB3BD64B4C95B17E8CE182", //
"cce": "05C1DA5A31206511F814ED050F5093A3", // "getColumnCount"
"ccf": "FDFC66B16AE1B2CCAE559A8A8A154A43", // "getString"
"ccg": "083CA19C22F977BBDA934BC0CE405347CD8597846A883708696EA171C27A3684", //
"cch": "E5FC801DE5B47F1E30E186AB1B341E624078658D4ECDF881606C578BC31771F3", //
"cci": "DB394C3B23DA2B87506E0EE2284039D7", // "packageName"
"ccj": "31D99ECD8BA695CDD77708777758651D", // "9"
"cck": "870B6D3167238D14F962D0E974363436" // "15"
"eb_89": {
"fc": []
"ea": "Bear_data_2.3.8"
"db": {
"ha": 1,
"hb": "Oj49Pzw+Pz09ODkyOQ==",
"hc": 0,
"hd": 600,
"he": 100,
"hf": "RU",
 "hg": 0

Some functions of the malicious app are implemented using reflection. The names of classes and methods, as well as the parameters for them, are specified in the settings the trojan receives. The parameters are used, among other things, to register a receiver of broadcast messages (BroadcastReceiver) and a content observer (ContentObserver), which Android.Click.312.origin uses to monitor the installation and updates of programs.

The snippet of the trojan’s code that registers BroadcastReceiver and ContentObserver:

public static void registerReceiver(Context context, String registerReceiverString, String dataScheme, String
action, BroadcastReceiver broadcastReceiver) {
try {
if(!TextUtils.isEmpty(registerReceiverString) && !TextUtils.isEmpty(dataScheme) &&
!TextUtils.isEmpty(action) && broadcastReceiver != null) {
Config config = BearConfig.getInstance().getConfig();
Class contextClass = Class.forName(config.getContextClassName());
Class broadcastReceiverClass = Class.forName(config.getBroadcastReceiverClassName());
Class intentFilterClass = Class.forName(config.getIntentReceiverClassName());
Method registerReceiverMethod = ReflectionUtils.getMethod(contextClass, registerReceiverString, new
Class[]{broadcastReceiverClass, intentFilterClass});
Object intentFilter = intentFilterClass.newInstance();
Method addActionMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddActionMethodName(), new Class[]{String.class});
if(addActionMethod != null) {
addActionMethod.invoke(intentFilter, action);
Method addDataSchemeMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddDataSchemeMethodName(), new Class[]{String.class});
if(addDataSchemeMethod != null) {
addDataSchemeMethod.invoke(intentFilter, dataScheme);
if(registerReceiverMethod != null) {
registerReceiverMethod.invoke(context, broadcastReceiver, intentFilter);
catch(Exception unused_ex) {
public static void registerContentObserver(Context context, String uri, String registerContentObserverString,
ContentObserver contentObserver) {
try {
if(!TextUtils.isEmpty(uri) && !TextUtils.isEmpty(registerContentObserverString) && contentObserver !=
null) {
Config config = BearConfig.getInstance().getConfig();
Method registerContentObserverMethod =
registerContentObserverString, new Class[]{Class.forName(config.getUriClassName()), Boolean.TYPE,
if(registerContentObserverMethod != null) {
registerContentObserverMethod.invoke(context.getContentResolver(), Uri.parse(uri),
Boolean.valueOf(true), contentObserver);
catch(Exception unused_ex) {

The trojan BroadcastReceiver monitors the installation and updates of applications, while ContentObserver monitors the downloading of APK files by the Play Store client process. Upon detecting one of these events, Android.Click.312.origin calls the server at https://aly.bear****.com/es/apcfg?funid=1 and sends it a POST request with the following data:

  • name of the installed or downloaded software package;
  • application version;
  • MD5 value of the APK file;
  • first installation time;
  • data on the user’s country of residence;
  • system language and the time zone.

In response, the trojan receives tasks with links. At the server’s command, Android.Click.312.origin can follow these links and open them in an invisible WebView. It can also open websites in a browser, as well as open Google Play links.

Applications that were found to contain the trojan:

Package name SHA1 Minimal number of downloads
com.a13.gpslock c0ddd6a164905ef6f65ec06ff088a991c01687e9 50,000
com.a13softdev.qrcodereader ea3e521d80730097f2c48dd9f0432749a07b9562 1,000,000 66c75e23ab7169475043cdc120206c06b261349d 10,000,000
com.crics.cricketmazza 1915eb46bd9ee2fe6748deaa0750cee83f72f8e0 1,000,000
com.dictionary.englishurdu 6c1347786aef5beb0060229c043e5c2ab24f1210 5,000,000 b8370356b55b13824eac3f8c0129bc2a00ddaf93 1,000,000 100b7a782cf12c0d08b94b3a8425c972f44f2ddc 100,000
com.galaxyapps.routefinder 4328b4c99dac008e6c509ac1521014faa0dadcc3 5,000,000
com.guruinfomedia.ebook.pdfviewer 0a17c18c49c97cdf558a986037b0e4b0c8592442 100,000
com.guruinfomedia.gps.speedometer 7964ec42624b91280a044024906ce71ec46cc6ea 1,000,000
com.guruinfomedia.gps.speedometerpro eca09c6331129c86e95a64a2f89dce8ad23cfea0 50,000
com.guruinfomedia.notepad.texteditor 88d1c4d118decd4360e6a8abc186965ccc05fe23 1,000,000 c5caf490f8627f510553b9336d62fd28382d22d5 100,000
com.impactobtl.friendstrackerfree 0c7dbdb521efd7354d515e2b24c8f2c61432c4bc 1,000,000
com.impactobtl.whodeletedme 8b901532f3247bdafe84e2d315d900bfe3a91bd6 500,000
com.mapsnavigation.gpsroutefinder.locationtrackers fbe2ac65d1a9c2894821faaff000ea7ac1147cee 1,000,000
com.qibla.compass.prayertimes 034ba8339be985c137108f4064bff4e156817c51 100,000
com.qiblafinder.prayertime.hijricalendar ef8a44cabd1ed8ef37c303c8fc16effb6c28fa5c 1,000,000
com.quranmp3.readquran 9b4a330a6ebe026db5fd13483c1a0a9de4571c89 1,000,000
com.quranmp3ramadan.readquran a870ba7293fc5475b499466a90d9a38a539a645c 500,000
com.ramdantimes.prayertimes.allah b13b296d20f360f8413b49459dc7397799e38763 1,000,000
com.ramdantimes.qibla.prayertimes e74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7 500,000
com.sdeteam.gsa 4e8112e4e3039e4a8d2479e3acae858deae0c3a1 1,000,000
com.shikh.gurbaniradio.livekirtan 1c69c6cc2714496fb50818b1c46be0ca72086fad 100,000
com.studyapps.mathen 9498a03c48b4802d1e529e42d5dc72a7e2da1593 500,000
com.studyapps.obshestvo 4f2dfe1410b7de8f9301d5c54becfa87d7cdd276 100,000
com.tosi.bombujmanual 8161f174eb43ee98838410e08757dd6dc348b53f 500,000
com.videocutter.mp3converter f9a7b22c2a8c07cf1e878dc625ea60e634486333 1,000,000
com.vpn.powervpn a7dded17f59ad889d949232ee8b5c43d667ca351 1,000,000
liveearthcam.livewebcams.livestreetview 581f505f4a83ad2ff1823dd3477c000788a77829 500,000
qrcode.scanner.qrmaker a53bcd4a4313dee7d6fd226867a005b8549c0227 5,000,000
remove.unwanted.object 22f2690b89e8c1ea0172ced211d3d57f07118bcb 10,000,000
com.ixigo.train.ixitrain 700819680439ce23945f25a20f1be97a1ff7d074 50,000,000

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies