Security Experts:

Connect with us

Hi, what are you looking for?



CAPCHA-bypassing Android Malware Surfaces on Google Play

Malware in Google Play Subscribes Users to Premium Services

Malware in Google Play Subscribes Users to Premium Services

New Android malware has been discovered in a series of Android applications and games in Google Play, capable of covertly subscribing users to premium-rate services, a recent report from Bitdefender reveals.

The security firm identified the new malware as Android.Trojan.MKero.A, described as a sophisticated CAPCHA-bypassing Android app spotted for the first time in late 2014 in programs distributed via third-party marketplaces or social networks in Eastern Europe, when it was using a highly advanced packer that led to its detection.

This is the first occurrence of the malware in the Google Play app store, as its builders have discovered new ways of to bypass Google Bouncer, Google’s vetting system, and to pack it into legitimate applications. Google has been notified of the existence of these applications in the marketplace.

Bitdefender notes that two of the infected applications have between 100,000 and 500,000 installs each and that the financial losses could amount to $250,000 or more, if each victim has been subscribed to at least one premium service. 

The Trojan has the ability to bypass CAPCHA authentication systems through redirecting requests to an online image-to-text recognition service called The online service relies on actual individuals to recognize the CAPPCHA images and requests are returned to the malware almost immediately, allowing it to proceed with the covert subscription process.

The Trojan receives the configuration settings of the desired subscription services from a Command and Control (C&C) infrastructure, which is also used to relay received SMS messages, Bitdefender said. The malware’s developers use obfuscation tools to hide classes, functions and C&C servers from where the commands and instructions are received.

According to Bitdefender’s researchers, 29 randomly generated C&C servers names have been found after analyzing seven malware-harboring applications. The Trojan automatically tries to connect to the next server in the list if one is taken down.

One developer, “Like Gaming,” has published multiple malicious applications, though certain versions of its products do not include the Trojan. Other infected products include: com.irontubegames.tower3d Version: 8 1.0.8; com.likegaming.rd Version: 3 1.3 and Version: 5 1.5; com.likegaming.gtascs Version: 1 1.0; com.likegaming.rcdtwo Version: 4 1.3, Version: 7 1.6, and Version: 5 1.4; com.likegaming.rcd Version: 10 1.8, Version: 6 1.4, Version: 7 1.5, Version: 8 1.6, and Version: 9 1.7; com.likegaming.ror Version: 9 and Version: 10; and com.uberspot.a2048mk Version: 1.96.

Due to the fact that the malware’s capabilities allow it to operate completely silent on the infected Android device, users are unlikely to discover and remove it.

Some of the infected games required permissions that are unusual for this type of apps: read sensitive log data, edit text messages (SMS or MMS), modify system settings, run at startup, full network access, or change network connectivity. A closer look at these permissions when installing an app keep users safe from installing a malicious program.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack