Security Experts:

CAPCHA-bypassing Android Malware Surfaces on Google Play

Malware in Google Play Subscribes Users to Premium Services

New Android malware has been discovered in a series of Android applications and games in Google Play, capable of covertly subscribing users to premium-rate services, a recent report from Bitdefender reveals.

The security firm identified the new malware as Android.Trojan.MKero.A, described as a sophisticated CAPCHA-bypassing Android app spotted for the first time in late 2014 in programs distributed via third-party marketplaces or social networks in Eastern Europe, when it was using a highly advanced packer that led to its detection.

This is the first occurrence of the malware in the Google Play app store, as its builders have discovered new ways of to bypass Google Bouncer, Google’s vetting system, and to pack it into legitimate applications. Google has been notified of the existence of these applications in the marketplace.

Bitdefender notes that two of the infected applications have between 100,000 and 500,000 installs each and that the financial losses could amount to $250,000 or more, if each victim has been subscribed to at least one premium service. 

The Trojan has the ability to bypass CAPCHA authentication systems through redirecting requests to an online image-to-text recognition service called Antigate.com. The online service relies on actual individuals to recognize the CAPPCHA images and requests are returned to the malware almost immediately, allowing it to proceed with the covert subscription process.

The Trojan receives the configuration settings of the desired subscription services from a Command and Control (C&C) infrastructure, which is also used to relay received SMS messages, Bitdefender said. The malware’s developers use obfuscation tools to hide classes, functions and C&C servers from where the commands and instructions are received.

According to Bitdefender’s researchers, 29 randomly generated C&C servers names have been found after analyzing seven malware-harboring applications. The Trojan automatically tries to connect to the next server in the list if one is taken down.

One developer, “Like Gaming,” has published multiple malicious applications, though certain versions of its products do not include the Trojan. Other infected products include: com.irontubegames.tower3d Version: 8 1.0.8; com.likegaming.rd Version: 3 1.3 and Version: 5 1.5; com.likegaming.gtascs Version: 1 1.0; com.likegaming.rcdtwo Version: 4 1.3, Version: 7 1.6, and Version: 5 1.4; com.likegaming.rcd Version: 10 1.8, Version: 6 1.4, Version: 7 1.5, Version: 8 1.6, and Version: 9 1.7; com.likegaming.ror Version: 9 1.6.0.3 and Version: 10 1.6.0.4; and com.uberspot.a2048mk Version: 1.96.

Due to the fact that the malware’s capabilities allow it to operate completely silent on the infected Android device, users are unlikely to discover and remove it.

Some of the infected games required permissions that are unusual for this type of apps: read sensitive log data, edit text messages (SMS or MMS), modify system settings, run at startup, full network access, or change network connectivity. A closer look at these permissions when installing an app keep users safe from installing a malicious program.

view counter