Security researchers have uncovered a new Android-based malware that bypasses CAPTCHA image-based verification systems and covertly subscribes users to premium-rate services.
In a post published on Securelist, researchers Victor Chebyshev and Nikita Buchka explain how they first came into contact with Trojan-SMS.AndroidOS.Podec last year. They have since intercepted a fully formed version of the Podec Trojan.
The researchers have observed that a number of sources are responsible for distributing the malware. These include the domains Apk-downlad3.ru and minergamevip.com, although it would appear that the servers at the popular Russian social media website VKontakte (VK) are primarily responsible for spreading Podec.
It is unknown how VK’s servers are involved in disseminating the Trojan given the fact that the social media site’s file server system is anonymous.
Even so, the researchers have uncovered several groups purportedly advertising cracked Android games have been created on VK that in actuality serve up Podec.
This is not the first instance of attackers using cracked Android application package (APK) files to infect users with malware. Last week, Android Police reported that a number of Google Play Book publishers had been offering fake game guides whose installation instructions lead users to a malicious website.
Ultimately, the purpose of Podec is to extort money from users by subscribing them to premium-rate services, Chebyshev and Buchka explain.
“The updated version [of the Trojan] proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the AoC system,” or the Advice of Charge system that notifies users about a charge.
To complete these subscriptions, Podec also bypasses CAPTCHA image-based verification systems via Antigate.com, an online service that converts images to text.
“The Trojan communicates with Antigate.com via an HTTP API service: a POST request is used to the send the image containing a text to be recognized; then, with the help of GET requests, the recognition status is monitored,” the researchers observe.
“The recognized result (if received in reasonable time) is inserted into the links from the ‘actions’ field of the received configuration. Then the links are opened with the help of the loadUrl()function.”
At the same time, Podec uses an “expensive legitimate code protector” to prevent any analysis of its code, which would appear to be still under development. Even so, the Trojan already has plenty of bite to its name.
“Podec marks a new and dangerous phase in the evolution of mobile malware. It is devious and sophisticated,” said Kaspersky Lab’s non-Intel research group manager Victor Chebyshev. “The social engineering tools used in its distribution, the commercial-grade protector used to conceal the malicious code, and the complicated process of extortion achieved by passing the CAPTCHA test — all lead us to suspect that this Trojan is being developed by a team of Android developers specialising in fraud and illegal monetisation.”
To avoid infection, Android users are encouraged to download applications from Google Play only and avoid installing cracked apps.