September 9, 2015 By Douglas Bonderud 2 min read

While the Google Play store never garnered the AppStore’s reputation for security, Google Bouncer has evolved to the point where most apps up for sale are both clean and legitimate. According to SecurityWatch, however, a new malware variant is taking the fun out of downloading new applications: Infected apps carrying Android.Trojan.MKero.A have been spotted in the store and now come with the ability to avoid CAPTCHA security measures and launch a concealed subscription service. How do users stay safe?

CAPTCHA Conundrum

Sure, CAPTCHA isn’t perfect, but there’s a lot to recommend about the process since it screens out virtually any automated process trying to cross secure barriers. It’s also simply not worth attackers’ time to develop a code-based solution to replicate human image recognition. As noted by the Security Watch piece, however, it’s absolutely worth their time to leverage services like Antigate.com, which relies on users to recognize the characters in CAPTCHA images and send back the results. Packaged along with Android.Trojan.MKero.A, it’s possible for malicious actors to approve subscription-based SMS services on victims’ phones and start running up the charges; Bitdefener estimated that total financial losses could reach $250,000.

Of course, getting this malware onto phones means getting it into the Google Play store. Security experts still aren’t sure about the exact transport mechanism but speculate that code sophistication has now increased to the point where Bouncer is unable to tell the difference between legitimate offerings and aggressive Trojans. So far, apps that carry this Trojan have been downloaded hundreds of thousands of times. Worse still, they run completely silent on Android phones, meaning users won’t know they’ve been compromised until big bills start piling up.

No Safe Harbor for Google Play

With malware now sneaking into legitimate app stores, users can no longer rely on manufacturer-gated content to ensure safety. Bitdefender recommended running some type of mobile security solution to identify and report malicious apps, SecurityWatch reported. The problem here is tracking down the right service since some of these so-called security apps are actually malware in disguise or so poorly made that users are better off with no protection whatsoever.

Tech Republic recommended rebooting Android devices in Safe Mode if it becomes clear they’ve been compromised. This is easy: Just hold down the power button, select “Reboot to Safe Mode” and all third-party apps will be disabled, allowing users to purge them from the device.

As noted by Forbes, chipmakers like Qualcomm are also looking at ways to help safeguard devices with the new Snapdragon Smart Protect. Users running a Snapdragon processor get the benefit of active protection, which monitors app behavior and reports any suspicious events — for example, if a user’s screen is turned off but an app is trying to send an SMS message. This could be a sign of malicious activity, and the phone will wake and alert the user.

With Google Play no longer a safe harbor for app purchases, users need to take matters into their own hands. This could mean installing third-party protection apps, rebooting in safe mode or upgrading to a new processor with the hope that on-chip defenses will make up for CAPTCHA-cheating crooks.

More from

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

4 ways to bring cybersecurity into your community

4 min read - It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an organizational responsibility to a global perspective.When every person who uses technology — for work, personal use and school — views cybersecurity as their responsibility, it…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today