- Jan 8, 2011
- 22,361
HOTFORSECURITY.COM - Sophisticated CAPTCHA-Bypassing Malware Found in Google Play, According to Bitdefender Researchers
A sophisticated CAPTCHA-bypassing Android malware has been found harbored in Google Play apps seeking to covertly subscribe thousands of users to premium-rate services.
Identified by Bitdefender as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. One of the most affected countries was Russia.
At the time, Bitdefender was conducting its own research into the malware’s behavior and found that recent versions had stopped using the highly advanced packer – that eased its detection – but still uses obfuscated strings.
Current Capabilities
This is the malware’s first occurrence in the official Google Play store, suggesting its developers found new ways of packing it into seemingly legitimate apps that can bypass Google Bouncer – the Google’s vetting system.
CLICK HERE TO CONTINUE READING
Here’s the list of the malicious apps that at the time of writing have been found in Google Play, along with the MD5 for each version known to have harbored the same malicious behavior:
Implications
Considering the malware has been built with convert capabilities to operate completely silent on the victim’s Android device, user detection and removal is extremely difficult.
Edit: Google are aware of these offending apps.
A sophisticated CAPTCHA-bypassing Android malware has been found harbored in Google Play apps seeking to covertly subscribe thousands of users to premium-rate services.
Identified by Bitdefender as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. One of the most affected countries was Russia.
At the time, Bitdefender was conducting its own research into the malware’s behavior and found that recent versions had stopped using the highly advanced packer – that eased its detection – but still uses obfuscated strings.
Current Capabilities
This is the malware’s first occurrence in the official Google Play store, suggesting its developers found new ways of packing it into seemingly legitimate apps that can bypass Google Bouncer – the Google’s vetting system.
CLICK HERE TO CONTINUE READING
Here’s the list of the malicious apps that at the time of writing have been found in Google Play, along with the MD5 for each version known to have harbored the same malicious behavior:
Code:
irontubegames.tower3d
Version: 8 1.0.8 – MD5: c8455e21d9768d5976fdfe867605a8de
likegaming.rd
Version: 3 1.3 – MD5: e3b1ecb491ecf424358ead583b21d8f6
Version: 5 1.5 392d9472352a1af31acde7cbb26c854e
likegaming.gtascs
Version: 1 1.0 – MD5: 14cdf116704af262174eb0678fd1b368
likegaming.rcdtwo
Version: 4 1.3 – MD5: 869624aeef3a9c848ed4e657dc852fff
Version: 7 1.6 – MD5: 39b84a45e82d547dc967d282d7a7cd1e
Version: 5 1.4 – MD5: 3692d7b6e121d36106f808622cdd52e7
likegaming.rcd
Version: 10 1.8 – MD5: 0460d0a51dcf3e4b16c2303d5c36e0ee
Version: 6 1.4 – MD5: 569c4a7a0309477c7b17fb549b4a956a
Version: 7 1.5 – MD5: f6c0409fffa4a8f5ca6b4f444bae297c
Version: 8 1.6 – MD5: df32f9d5ff0572a8f40d8d9edadb1968
Version: 9 1.7 – MD5: 61f0c2e4eaa49dd49c43f2caef83b1bf
likegaming.ror
Version: 9 1.6.0.3 MD5: 7238fc5f14bdee958c7b41b13d6f3ca8
Version: 10 1.6.0.4 MD5: 69820ddcab4fe0c6ff6a77865abf30b9
uberspot.a2048mk
Version: 19 1.96 – MD5: 72ba0eef80e7abe28ff8ab40ffb301d2Implications
Considering the malware has been built with convert capabilities to operate completely silent on the victim’s Android device, user detection and removal is extremely difficult.
Edit: Google are aware of these offending apps.
Last edited:
