Share

tweet



New Android Malware Steals Secretly via Premium SMS

Malware among smartphone and mobile devices is something that many of us never give a second thought to until we encounter a serious threat on our own device.

When it comes to mobile device malware, Android devices always come to mind as smartphones and tablets running the operating system are the most vulnerable and hackers are taking advantage of the gaping hole with a resurgence of threats like the Android.Trojan.MKero.A malware that secretly subscribes victims to premium SMS services.

Bitdefender has uncovered CAPTCHA-bypassing Android malware, purposefully left in Google Play apps by unscrupulous developers, with the aim of subscribing thousands of users to premium-rate services.

The Android.Trojan.MKero.A malware was first discovered in 2014 and has since been distributed to users installing Android apps from unverified sources, mostly far outside of the Google Play store’s infrastructure. Such third party apps come in many different forms and are known for including malware that installs on Android devices.

The Trojan’s sophistication lies in its ability to bypass CAPTCHA authentication systems by redirecting these requests to Antigate.com, an online image-to-text recognition service.

Once the SMS services is subscribed to, the user is unknowingly exploited by participation in unknowing services that eventually reward the hackers behind the scheme with a pay day at the expense of the device user’s texting and data plan.

If each victim is subscribed to at least one premium-rate number that charges a minimum $0.5 per SMS each month, the total financial losses from this Android-based malware could amount to $250,000.

Antigate.com relies on actual individuals to recognize CAPTCHA images, which makes it easy for requests to return to the malware in seconds because it mistakenly thinks there is human interaction. The malware then processes the covert subscription.

When conducting its own research, Bitdefender was already monitoring malware-like behavior and found that recent versions had stopped using the highly advanced packer – that eased its detection – but still used obfuscated strings.

“Among the Google Play apps that disseminate the trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count,” said Catalin Cosoi, Chief Security Strategist at Bitdefender. “Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.” “The malware has been built with covert capabilities to operate silently on the victim’s Android device,” Catalin Cosoi continued. “A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.”

The infographic below is a representation from Bitdefender demonstrating the attack timeline process for Android.Trojan.MKero.A conducting its malicious activities over a wide array of specific targets.

At least one developer, Like Gaming, is publishing more than one of these malicious apps, which is the malware’s first occurrence in the official Google Play store. Developers have found new ways of packing it into seemingly legitimate apps that can bypass Google’s vetting system, Google Bouncer.