My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2020-02-19

Virus description added:


Android.Circle.1 is malicious software for the Android operating system combining an advertisement trojan and clicker functionality. It was originally discovered on Google Play where it was spread under the guise of harmless applications. This malware is a bot that executes incoming commands. Android.Circle.1 is written in Kotlin and created using Multiple APKs mechanism, allowing developers to build and upload several modifications of a single app to support multiple devices models.

Operating principle

Android.Circle.1 is built into various applications such as wallpaper collections, horoscopes, system tools, picture editing software, games, etc. Upon installation these programs work as advertised. Once launched, the trojan connects to the C2 sever, sends information about the infected device and waits for further commands.

Some modifications of the bot pretend to be an important system component making it difficult for the user to track and delete the trojan. In the apps list of the system menu such modifications are displayed as a app and have a default Android app icon.


Trojan structure

Android.Circle.1 is created using Multiple APKs mechanism. This allows developers to publish multiple modifications of a single app on Google Play to provide wide support for different device models and CPU architectures. On top of that, the trojan is built with a Split APKs mechanism, which separates the application’s main apk file into several apks hosting various components of the program. After installation, the operating system handles such split files as a whole app.

Part of the Android.Circle.1 functionality is implemented in native library, which is located in one of these additional apk files.

Receiving and executing commands

The connection to the C2 server is performed with a protected HTTPS channel. In addition to that, all data sent and received by the trojan is additionally encrypted with an AES algorithm.

The trojan sends the following information about an infected device to the server:

  • packages – the list of installed applications
  • device_vendor – device manufacturer
  • isRooted – root access availability
  • install_referrer – the information about the link used to install the trojan app
  • version_name – constant with the value of “1.0”
  • app_version – constant with the value of “31”
  • google_id – user’s Google services ID
  • device_model – device model
  • device_name – the name of the device
  • push_token –Firebase ID
  • udid – unique ID
  • os_version – OS version
  • sim_provider – mobile network provider

Next, the trojan waits for the tasks sent through the Firebase Cloud Messaging service messages. These messages contain commands representing BeanShell library scripts.

The bot can perform various tasks, for example:

  • deleting the trojan app’s icon from the apps list on the home screen;
  • deleting the trojan app’s icon and loading the URL in the browser specified in the command;
  • clicking on interactive elements located on the loaded websites;
  • displaying advertisement banners, and
  • other actions the trojan has system permissions to execute.

Upon receiving tasks, Android.Circle.1 saves them into the configuration file prefs.xml as shown in the example below:

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<string name="parent_class_name"></string>
<boolean name="ready_to_work" value="true" />
<string name="uuid">95aefbfa-000b-45db-aa0c-e781310074d8</string>
<string name="base_url">https://circle.*****</string>
<string name="library_version">31</string>

where push_data — task received with the Firebse message, which is packed into the ZIP file and encoded with Base64.

After the message decoding, this task presents as follows:


where src — the string with BeanShell script, which is also packed into the ZIP and encoded with Base64. After the decoding, the original script with the command to execute looks as follows:

import android.content.ComponentName;
import org.json.JSONObject;
import android.content.Intent;
import android.content.Context;
import kotlin.jvm.functions.Function0;
import kotlin.Unit;
PackageManager p = context.getPackageManager();
ComponentName componentName = new ComponentName(context, bus.getParentClass(context));
p.setComponentEnabledSetting(componentName, PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
bus.log("string_icon_deleted", "Icon deleted");
start() {}
urlLoaded() {}
onConsoleMessage(message) {}
browserClicked(url) {}
admobTask() {}
admobLoaded() {}
admobAdError(code) {}
admobAdClosed() {}
deleteIcon() {}
onConsoleMessage(String consoleMessage) {}
newTaskPush() {}

This particular script’s task is to delete the trojan’s icon from the apps list on the home screen of the Android operating system.

Upon execution of the task, the trojan notifies the C2 server, sending the report as shown below:

"string_icon_deleted","device_model":"Philips S337","device_name":"Philips

Indicators of the compromise

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android