Kaspersky discovers CAPTCHA-duping Podec malware

News by Rene Millman

Trojan targets Android devices and fools image verification system into thinking it's human.

IT security firm Kaspersky has divulged details about what it believes is the first malware to successfully outwit the CAPTCHA image recognition system.

Podec uses a technique to convince the CAPTCHA it is a person in a bid to infect thousands of Android users and subscribe them to premium-rate services.

The Trojan was detected late last year and automatically forwards CAPTCHA requests to a real-time online human translation service that converts the image to text.  This convinces the system that the malware is human and waves it through.

The malware also bypasses the Advice on Charge system, which notifies users about the price of a service and requires authorisation before payment. 

According to the security firm, Podec focuses on Android device users primarily through Russia's popular social network, VKontakte, but other sources have also been discovered.

Infection generally occurs through links to supposedly cracked versions of popular computer games, such as Minecraft Pocket Edition. Links appear on group pages and lure victims with free apps and a small file size. Once infected, Podec requests administrator privileges that, when granted, make it impossible to delete or halt the execution of the malware.

The Trojan also deploys techniques to prevent any analysis of its code via obfuscation and an expensive legitimate code protector that makes it difficult to access the source code of the Android application.

"Podec marks a new and dangerous phase in the evolution of mobile malware. It is devious and sophisticated," said Kaspersky Lab's non-Intel research group manager Victor Chebyshev.

"The social engineering tools used in its distribution, the commercial-grade protector used to conceal the malicious code, and the complicated process of extortion achieved by passing the CAPTCHA test -- all lead us to suspect that this Trojan is being developed by a team of Android developers specialising in fraud and illegal monetisation.”

"It is clear that Podec is being further developed, possibly with new targets and goals in mind, and we urge users to be wary of links and offers that sound too good to be true," he added.

Check Point's UK managing director, Keith Bird, said that mobile malware has used ‘man in the middle' exploits to bypass authentication in previous attacks, such as 2012's Eurograbber attack on mobile banking which targeted users with a variant of the Zeus-in-the-mobile (Zitmo) trojan.

“But Podec seems to have been created to spread, infect devices and sign users up to premium-rate services on an industrial scale.  The fact it's spreading on the Russian social networking site, VK.com which has nearly 300 million users, supports this,” said Bird. 

“Businesses need to protect corporate-issued and employees' mobiles with on-device sandboxing to protect and control application and data usage, and consumers need to be careful to download apps and games only from legitimate sources to minimise their risk of infection.”

Ollie Whitehouse, technical director at NCC Group said that as Podec had no inbuilt ability to propagate, users would “need to be convinced to install it via social engineering or other indirect means.”

“It could also be repackaged as a legitimate application. This was the case in the instance outlined by Kaspersky where cracked software was used as the means of propagation,” he told SCMagazineUK.com.

“These types of malicious ‘demonstration' code are often observed and won't mean much in the real-world for mobile security. Mobile device management and software policies restricting what software can be installed on mobile devices is an adequate defence. Also, container technology such as Samsung Knox and BlackBerry Balance can help protect corporate data from such threats,” added Whitehouse.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews