Security solutions provider Bitdefender has uncovered CAPTCHA-bypassing Android malware, purposefully left in Google Play apps by unscrupulous developers, with the aim of subscribing thousands of users to premium-rate services.

If each victim is subscribed to at least one premium-rate number that charges a minimum $0.5 per SMS each month, the total financial losses from this Android-based malware could amount to $250,000, the equivalent of £160,000, and more.

The Trojan’s sophistication lies in its ability to bypass CAPTCHA authentication systems by redirecting these requests to Antigate.com, an online image-to-text recognition service.

Antigate.com relies on actual individuals to recognise CAPTCHA images, which makes it easy for requests to return to the malware in seconds because it mistakenly thinks there is human interaction. The malware then processes the covert subscription.

When conducting its own research, Bitdefender was already monitoring malware-like behaviour and found that recent versions had stopped using the highly advanced packer – that eased its detection – but still used obfuscated strings.

Catalin Cosoi, chief security strategist at Bitdefender, said: “Among the Google Play apps that disseminate the trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count.

“Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.

“The malware has been built with covert capabilities to operate silently on the victim’s Android device.

“A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.”

Known as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. Russia was one of the most affected countries.

At least one developer is publishing more than one of these malicious apps, which is the malware’s first occurrence in the official Google Play store.

Developers have found new ways of packing it into seemingly legitimate apps that can bypass Google’s vetting system, Google Bouncer.

Bitdefender has notified Google that these malicious apps exist in Google Play on Android. A mobile security solution is recommended to check if devices are infected with the malware Trojan.

The news comes as London-based app security firm Codified launched a free security health check for businesses amid warnings that 75% of apps could be vulnerable to attacks.

Show Comments