Verified Play Store apps found to be spreading MKero malware

The developers altered their apps' packing to successfully pass through Google's vetting system
The developers altered their apps' packing to successfully pass through Google's vetting system

Downloaded by hundreds of thousands of Android users and hidden inside Google's legitimate Play Store are at least seven apps laced with a CAPTCHA-evading malware that, Bitdefender warns, is defrauding its victims.

Although initially identified in 2014, the MKero malware, as the security company calls it, moved over to the Play Store relatively recently and was still present as of a blog post published Tuesday.

The developers altered their apps' packing to successfully pass through Google's app store vetting system, known as Google Bouncer, said Liviu Arsene, senior e-threat analyst at Bitdefender, in an interview with SCMagazine.com.

Noting that the automated system is based off certain rules, Arsene said this malware's creators likely figured out what Google Bouncer looks for in acceptable applications.

Furthermore, these developers have had the malware present in some of their apps for at least five iterations without Google flagging them.

“The developer kept submitting code to [Google Bouncer] and it wasn't picked up,” Arsene said, adding that all the malicious activity is preserved and obfuscated in the apps' code. Once in the store, the developer just continued pushing updates.

The malware works by kicking into action after a user downloads a seemingly benign gaming app. Once installed with the app, the malware pulls up a premium SMS subscription service website that contains a CAPTCHA. At this point, the malware extracts the CAPTCHA image and sends it over to Antigate, a company that promises real-time translation and verification of CAPTCHA images.

After receiving the verification back, the malware enters it on the subscription website and effectively signs the victim up for the service. Typically, these subscriptions cost about 50 cents per month, Arsene noted.

While that might not sound like much, the amount often goes undetected on bills, and when an app has hundreds of thousands of installs, as at least two do, the payoff makes it worthwhile for the perpetrators. With 500,000 installs, for instance, the attackers rake in $250,000 per month by operating on a referral bonus of sorts from the subscription provider.

Of course, the victim never receives these premium text notifications because the malware, operating with administrator privileges, blocks notifications from the services.

The application does request this permission before being downloaded, however, so Arsene reiterated the importance of reading through the permission page.

“Definitely always go through permissions,” he said. “It doesn't matter if you download through Google Play.”

He went on to say that beyond malware, permissions can indicate invasions of privacy, as well.

Bitdefender said at least one developer, Like Gaming, published more than one of the malicious apps, but stopped including the malware in certain versions.