Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

SMS Trojan Uses Image Recognition Service to Solve CAPTCHAs

A new Android Trojan spotted by researchers at Kaspersky Lab uses some clever techniques to silently subscribe victims to premium services.

The threat, detected by Kaspersky as Trojan-SMS.AndroidOS.Podec, is still under development, but it’s already capable of carrying out a wide range of tasks.

A new Android Trojan spotted by researchers at Kaspersky Lab uses some clever techniques to silently subscribe victims to premium services.

The threat, detected by Kaspersky as Trojan-SMS.AndroidOS.Podec, is still under development, but it’s already capable of carrying out a wide range of tasks.

Cybercrooks can use the malware to send SMS messages, set a filter on incoming messages and calls, display ads, delete messages and call records, upload the HTML source code of specified webpages to a remote server, perform DDoS attacks, make outgoing calls, subscribe the victim to paid content, delete apps, and export incoming messages based on instructions received from the command and control (C&C) server.

The Trojan is capable of signing up victims to premium services that use both the pseudo-subscription and MT subscription models. In the case of pseudo-subscription, users must send an SMS message for payment each time they want to access the service. In the case of MT subscription, users enter a validation code received via SMS on a website to show that they accept terms and conditions. Once this is done, they will be charged on a regular basis.

For example, one of the services used by Podec is called RuMaximum, which allows internauts to take personality and other tests online.

Users are first required to fill out an online form. Once the page is submitted, they are asked to enter their phone number in order to get the test results. The website sends a verification code to the provided phone number, and the user must enter the code and solve a CAPTCHA in order to see the results.

The malware uses a GET request to fill out the online form. Then, it enters the victim’s phone number, intercepts the SMS containing the validation code, and enters the code on the website. As for the CAPTCHA, the malware leverages an online image-to-text decoding service called Antigate.

Antigate doesn’t use sophisticated algorithms to solve the CAPTCHAs. Instead, it employs people from all over the world to complete the task. According to the company’s website, most workers are based in India, but the list of countries also includes Pakistan, Vietnam, Ukraine, Indonesia, Russia, the United States, China, Japan, and the Philippines. The service offers to decode CAPTCHAs for as little as $0.7 per 1,000 images, with an average decoding speed of 15 seconds.

Advertisement. Scroll to continue reading.

Podec uses Antigate’s API to send the CAPTCHA images and then waits for the result.

Another interesting aspect of this Trojan is that it’s capable of bypassing the Advice of Charge feature, which provides the user with information on any applicable charges before he/she subscribes to a service.

The Trojan’s DDoS capabilities are likely not designed for disrupting Web services. Instead, they help cybercrooks ramp up website visitor counters, and generate a profit from advertising and affiliate programs, Kaspersky said.

To prevent users and security solutions from removing it, the Trojan requests device administrator privileges when first launched. The request is displayed on the screen until the victim accepts.

According to researchers, there is indication that future versions of the threat will include a payload designed to exploit super-user privileges.

In order to prevent researchers from analyzing the Trojan’s source code, its authors have obfuscated the code, introduced some “garbage” classes, and leveraged an expensive code protector application.

The Podec Trojan is distributed through the Russian social network Vkontakte and several other websites with names such as Apk-downlad3(dot)ru and minergamevip(dot)com. The malware is usually disguised as cracked versions of Android games and applications.

The design and management of the Vkontakte groups that advertise the malicious games and apps suggest that blackhat SEO (search engine optimization) specialists are involved in the distribution of the malware, Kaspersky said.

The security firm has detected more than 4,000 Podec infections, most of which are in Russia. Infected devices have also been spotted in Kazakhstan, Ukraine, Belarus, and Kyrgyzstan.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.