A new Android malware that bypasses CAPTCHA systems and gets thousands of unsuspecting users to sign-up for premium SMS services has been uncovered by researchers at Bitdefender.

Bitdefender researchers have revealed a new CAPTCHA-bypassing Android malware that is deliberately left behind by shady developers in Google’s Play Store to get thousands of users signing up for premium-rate services, The Inquirer reports.

Related Article: 17% of Android Apps Are Malware: Study

According to estimates by Bitdefender, if each victim subscribed to one premium-rate service that charges a minimum of $0.5 per SMS every month, the total financial damages due to the malware could quickly add up to $250,000.

The MKero Malware

The ‘MKero’ Trojan malware is particularly sophisticated due to its means to bypass CAPTCHA authentication systems. Bitdefender researchers discovered that the malware redirects CAPTCHA requests to the website – Antigate.com.

Antigate hires real people to recognize and decipher CAPTCHA images, and the results are reverted to the malware within seconds. With the mistaken human interaction, the malware proceeds to sign up for the subscription, completing the loop that charges the fee.

Officially labelled Android.Trojan.Mkero.A, the malware was first spotted in late 2014 but was limited to parts of Eastern Europe, with Russia among the countries most affected. At the time, it was primarily distributed among underground forums and local social networks in the region.

“Among the Google Play apps that disseminate the Trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count,” said Catalin Cosoi, Chief Security Strategist at Bitdefender.

“Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.”

During their research, Bitdefender noticed that recent versions of the malware had stopped using the ‘highly advanced packer’ that hid the malware during detection but still used ‘obfuscated strings.’

Related Article: Google Will Pay You up to $40,000 to Find Bugs in Android

“The malware has been built with covert capabilities to operate silently on the victim’s Android device,” Catalin Cosoi added.

“A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.”

Google has pulled at least seven malicious malware-ridden applications masquerading as games from the Play Store after being notified of the malware by Bitdefender.