Protégez votre univers

Nos autres ressources

  • — utilitaires gratuits, plugins, widgets
  • — service Internet pour les prestataires de services Dr.Web AV-Desk
  • — l'utilitaire de désinfection réseau Dr.Web CureNet!

Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230


Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230



Added to the Dr.Web virus database: 2019-08-09

Virus description added:

Android.Click.312.origin is a trojan module that can be embedded in Android applications by developers. It was first found in software distributed on Google Play. So as not to raise suspicion, the module starts working only 8 hours after launching in programs containing it.

We also know modifications of this trojan, such as Android.Click.313.origin.

After startup, Android.Click.312.origin connects to the command and control server at https://alb.bear****.com/service/find?token=, and sends it a POST request with the following information about the mobile device:

  • manufacturer and model;
  • operating system version;
  • user’s country of residence and the default system language;
  • User-Agent identifier;
  • mobile carrier;
  • Internet connection type;
  • display parameters;
  • time zone;
  • data on the application containing trojan.

In response, the trojan receives certain settings. See below the example:

"da": [
"eb_167": {
"fa": 4133,
"fb": 5005,
"fc": [
"ga": 4449,
"aa": "",
"ab": "",
"ac": "1",
"ad": "1",
"ae": "1",
"af": "1",
"ag": "1",
"ah": "1",
"ba": "EwQGCBIVBBMzBAIECBcEEw==", // "registerReceiver"
"bc": "EQACCgAGBA==", // "package"
"bd": "EwQGCBIVBBMiDg8VBA8VLgMSBBMXBBM=", // "registerContentObserver"
"be": "Ag4PFQQPFVtOTgUOFg8NDgAFEg==", // "content://downloads"
"bf": "EBQEExg=", // "query"
"bi": "AA8FEw4IBU8PBBVPNBMI", // ""
"bv": "Ag4MTwAPBRMOCAVPFwQPBQgPBk8oLzI1IC0tPjMkJyQzMyQz", //
"bu": "EgQPBSMTDgAFAgASFQ==", // "sendBroadcast"
"bk": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFScIDRUEEw==", // "android.content.IntentFilter"
"bl": "AA8FEw4IBU8CDg8VBA8VTyIODxUEGRU=", // "android.content.Context"
"bm": "AAUFIAIVCA4P", // "addAction"
"bn": "AAUFJQAVADICCQQMBA==", // "addDataScheme"
"bo": "AA8FEw4IBU8CDg8VBA8VTygPFQQPFQ==", // "android.content.Intent"
"bp": "EgQVIAIVCA4P", // "setAction"
Config example
 "bq": "EgQVMQACCgAGBA==", // "setPackage"
"br": "EgQVJw0ABhI=", // "setFlags"
"bs": "ERQVJBkVEwA=", // "putExtra"
"bt": "EwQHBBMTBBM=", // "referrer"
"wa": "1",
"ccl": "41C2B18562FD214249F03464D37649C7", // "20"
"bw": "D7F2C05AB2907B2C482619385C680FA73821062F2A2B55F36650478C6CA74F68", //
"bx": "B6AEAB1DECBFF6A631E3D801E5D0D1E9D700630581E1DA2E7CB145C4CF0D6296", //
"by": "685016505AA49714487A44282E5E7F0F", // "getData"
"bz": "DF52208D68AA2DA7EC3ED2071CC2D5FF5809F7419409F3DA6B135E829B8D748C", //
"cca": "09BC5F0AC4B69BC951614AC6B5C9B22A", // "getPathSegments"
"ccb": "5DF882205437BB8B994E3BA129EC4643BAFB835F72C85714E5A8EE859ABDEABC", //
"ccc": "DF1FF1B64CF8D85CB878B425DC302D4290CE6A7FB993F4DEE7570F8B4C4D416A", //
"ccd": "64E9CFE7A1BB7433868B1894A10627C44A51E307ECEB3BD64B4C95B17E8CE182", //
"cce": "05C1DA5A31206511F814ED050F5093A3", // "getColumnCount"
"ccf": "FDFC66B16AE1B2CCAE559A8A8A154A43", // "getString"
"ccg": "083CA19C22F977BBDA934BC0CE405347CD8597846A883708696EA171C27A3684", //
"cch": "E5FC801DE5B47F1E30E186AB1B341E624078658D4ECDF881606C578BC31771F3", //
"cci": "DB394C3B23DA2B87506E0EE2284039D7", // "packageName"
"ccj": "31D99ECD8BA695CDD77708777758651D", // "9"
"cck": "870B6D3167238D14F962D0E974363436" // "15"
"eb_89": {
"fc": []
"ea": "Bear_data_2.3.8"
"db": {
"ha": 1,
"hb": "Oj49Pzw+Pz09ODkyOQ==",
"hc": 0,
"hd": 600,
"he": 100,
"hf": "RU",
 "hg": 0

Some functions of the malicious app are implemented using reflection. The names of classes and methods, as well as the parameters for them, are specified in the settings the trojan receives. The parameters are used, among other things, to register a receiver of broadcast messages (BroadcastReceiver) and a content observer (ContentObserver), which Android.Click.312.origin uses to monitor the installation and updates of programs.

The snippet of the trojan’s code that registers BroadcastReceiver and ContentObserver:

public static void registerReceiver(Context context, String registerReceiverString, String dataScheme, String
action, BroadcastReceiver broadcastReceiver) {
try {
if(!TextUtils.isEmpty(registerReceiverString) && !TextUtils.isEmpty(dataScheme) &&
!TextUtils.isEmpty(action) && broadcastReceiver != null) {
Config config = BearConfig.getInstance().getConfig();
Class contextClass = Class.forName(config.getContextClassName());
Class broadcastReceiverClass = Class.forName(config.getBroadcastReceiverClassName());
Class intentFilterClass = Class.forName(config.getIntentReceiverClassName());
Method registerReceiverMethod = ReflectionUtils.getMethod(contextClass, registerReceiverString, new
Class[]{broadcastReceiverClass, intentFilterClass});
Object intentFilter = intentFilterClass.newInstance();
Method addActionMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddActionMethodName(), new Class[]{String.class});
if(addActionMethod != null) {
addActionMethod.invoke(intentFilter, action);
Method addDataSchemeMethod = ReflectionUtils.getMethod(intentFilterClass,
config.getAddDataSchemeMethodName(), new Class[]{String.class});
if(addDataSchemeMethod != null) {
addDataSchemeMethod.invoke(intentFilter, dataScheme);
if(registerReceiverMethod != null) {
registerReceiverMethod.invoke(context, broadcastReceiver, intentFilter);
catch(Exception unused_ex) {
public static void registerContentObserver(Context context, String uri, String registerContentObserverString,
ContentObserver contentObserver) {
try {
if(!TextUtils.isEmpty(uri) && !TextUtils.isEmpty(registerContentObserverString) && contentObserver !=
null) {
Config config = BearConfig.getInstance().getConfig();
Method registerContentObserverMethod =
registerContentObserverString, new Class[]{Class.forName(config.getUriClassName()), Boolean.TYPE,
if(registerContentObserverMethod != null) {
registerContentObserverMethod.invoke(context.getContentResolver(), Uri.parse(uri),
Boolean.valueOf(true), contentObserver);
catch(Exception unused_ex) {

The trojan BroadcastReceiver monitors the installation and updates of applications, while ContentObserver monitors the downloading of APK files by the Play Store client process. Upon detecting one of these events, Android.Click.312.origin calls the server at https://aly.bear****.com/es/apcfg?funid=1 and sends it a POST request with the following data:

  • name of the installed or downloaded software package;
  • application version;
  • MD5 value of the APK file;
  • first installation time;
  • data on the user’s country of residence;
  • system language and the time zone.

In response, the trojan receives tasks with links. At the server’s command, Android.Click.312.origin can follow these links and open them in an invisible WebView. It can also open websites in a browser, as well as open Google Play links.

Applications that were found to contain the trojan:

Package name SHA1 Minimal number of downloads
com.a13.gpslock c0ddd6a164905ef6f65ec06ff088a991c01687e9 50,000
com.a13softdev.qrcodereader ea3e521d80730097f2c48dd9f0432749a07b9562 1,000,000 66c75e23ab7169475043cdc120206c06b261349d 10,000,000
com.crics.cricketmazza 1915eb46bd9ee2fe6748deaa0750cee83f72f8e0 1,000,000
com.dictionary.englishurdu 6c1347786aef5beb0060229c043e5c2ab24f1210 5,000,000 b8370356b55b13824eac3f8c0129bc2a00ddaf93 1,000,000 100b7a782cf12c0d08b94b3a8425c972f44f2ddc 100,000
com.galaxyapps.routefinder 4328b4c99dac008e6c509ac1521014faa0dadcc3 5,000,000
com.guruinfomedia.ebook.pdfviewer 0a17c18c49c97cdf558a986037b0e4b0c8592442 100,000
com.guruinfomedia.gps.speedometer 7964ec42624b91280a044024906ce71ec46cc6ea 1,000,000
com.guruinfomedia.gps.speedometerpro eca09c6331129c86e95a64a2f89dce8ad23cfea0 50,000
com.guruinfomedia.notepad.texteditor 88d1c4d118decd4360e6a8abc186965ccc05fe23 1,000,000 c5caf490f8627f510553b9336d62fd28382d22d5 100,000
com.impactobtl.friendstrackerfree 0c7dbdb521efd7354d515e2b24c8f2c61432c4bc 1,000,000
com.impactobtl.whodeletedme 8b901532f3247bdafe84e2d315d900bfe3a91bd6 500,000
com.mapsnavigation.gpsroutefinder.locationtrackers fbe2ac65d1a9c2894821faaff000ea7ac1147cee 1,000,000
com.qibla.compass.prayertimes 034ba8339be985c137108f4064bff4e156817c51 100,000
com.qiblafinder.prayertime.hijricalendar ef8a44cabd1ed8ef37c303c8fc16effb6c28fa5c 1,000,000
com.quranmp3.readquran 9b4a330a6ebe026db5fd13483c1a0a9de4571c89 1,000,000
com.quranmp3ramadan.readquran a870ba7293fc5475b499466a90d9a38a539a645c 500,000
com.ramdantimes.prayertimes.allah b13b296d20f360f8413b49459dc7397799e38763 1,000,000
com.ramdantimes.qibla.prayertimes e74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7 500,000
com.sdeteam.gsa 4e8112e4e3039e4a8d2479e3acae858deae0c3a1 1,000,000
com.shikh.gurbaniradio.livekirtan 1c69c6cc2714496fb50818b1c46be0ca72086fad 100,000
com.studyapps.mathen 9498a03c48b4802d1e529e42d5dc72a7e2da1593 500,000
com.studyapps.obshestvo 4f2dfe1410b7de8f9301d5c54becfa87d7cdd276 100,000
com.tosi.bombujmanual 8161f174eb43ee98838410e08757dd6dc348b53f 500,000
com.videocutter.mp3converter f9a7b22c2a8c07cf1e878dc625ea60e634486333 1,000,000
com.vpn.powervpn a7dded17f59ad889d949232ee8b5c43d667ca351 1,000,000
liveearthcam.livewebcams.livestreetview 581f505f4a83ad2ff1823dd3477c000788a77829 500,000
qrcode.scanner.qrmaker a53bcd4a4313dee7d6fd226867a005b8549c0227 5,000,000
remove.unwanted.object 22f2690b89e8c1ea0172ced211d3d57f07118bcb 10,000,000
com.ixigo.train.ixitrain 700819680439ce23945f25a20f1be97a1ff7d074 50,000,000

News about the trojan

Recommandations pour le traitement


  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Editeur russe des solutions antivirus Dr.Web

Expérience dans le développement depuis 1992

Les internautes dans plus de 200 pays utilisent Dr.Web

L'antivirus est fourni en tant que service depuis 2007

Support 24/24

© Doctor Web
2003 — 2019

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg