New Android Malware ‘MKero’ Packs a Heavy Financial Punch

Security researchers at Bitdefender have revealed a new CAPTCHA-bypassing Android malwareMkero, that is embedded in Google Play store as applications by malicious developers. The malware is designed to get thousands of users to subscribe to premium-rate SMS services, which adds up to a big pot of money.

Security researchers estimate that if each victim signed up for just one premium-rate number, conservatively, a service that charges $0.5 per SMS per month could amount to gains of up to $250,000 by the malware, reports Net Security.

Bitdefender warns that at least seven Android applications in Google’s Play Store contain the MKero malware. After notifying Google of the malware, the malicious applications pretending to be casual games have since been removed from the Play Store.

Another Day, another Android Malware – MKero

The MKero malware is particularly clever as a sophisticated, covert Trojan in its ability to bypass the CAPTCHA authentication system. The malware does the ingenious trick of redirecting CAPTCHA requests to – a convenient online image-to-text recognition website.

It has to be noted that uses real people to recognize CAPTCHA images, making the deciphered CAPTCHA image return to the malware in seconds due to the human touch.

When the loop is complete, the malware immediately processes the faux subscription, charging for it.

Bitdefender, while monitoring malware-like behavior among applications in Google’s Play Store, noted that recent versions of the malware had ceased the implementation of the sophisticated packer but still used obfuscated strings.

Catalin Cosoi, the chief security strategist at Bitdefender, elaborates on the findings:

Among the Google Play apps that disseminate the Trojan, two have between 100,000 and 500,000 installs each, which is a staggering potential victim count. Our research confirmed that these have been weaponised for a while, with one app going back by at least five iterations and has been regularly updated.

Officially code-named Android.Trojan.MKero.A, the malware was initially spotted near the end of 2014. At the time, it was only distributed via underground malware marketplaces and local social networks in Eastern Europe with Russia among the most affected countries.

“The malware has been built with covert capabilities to operate silently on the victim’s Android device,” added Catalin Cosoi.

A mobile security solution is the only way to identify malicious apps, regardless of where they were downloaded, and stop threats from causing financial harm or personal data loss.

Image from RoSonic / Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.