Bitdefender has uncovered CAPTCHA-bypassing Android malware, purposefully left in Google Play apps by unscrupulous developers, with the aim of subscribing thousands of users to premium-rate services.
If each victim is subscribed to at least one premium-rate number that charges a minimum $0.5 per SMS each month, the total financial losses from this Android-based malware could amount to $250,000.
The Trojan’s sophistication lies in its ability to bypass CAPTCHA authentication systems by redirecting these requests to Antigate.com, an online image-to-text recognition service.
Antigate.com relies on actual individuals to recognize CAPTCHA images, which makes it easy for requests to return to the malware in seconds because it mistakenly thinks there is human interaction. The malware then processes the covert subscription.
When conducting its own research, Bitdefender was already monitoring malware-like behavior and found that recent versions had stopped using the highly advanced packer – that eased its detection but still used obfuscated strings.
Among the Google Play apps that disseminate the trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count, said Catalin Cosoi, Chief Security Strategist at Bitdefender. Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.
The malware has been built with covert capabilities to operate silently on the victims Android device, Catalin Cosoi continued. A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.
Known as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. Russia was one of the most affected countries.
At least one developer, Like Gaming, is publishing more than one of these malicious apps, which is the malwares first occurrence in the official Google Play store. Developers have found new ways of packing it into seemingly legitimate apps that can bypass Googles vetting system, Google Bouncer.