If you think that all the Android apps currently available on the legitimate Google Play Store are reliable and free-of-malware, then you are wrong.
Developers of MKero Malware, which was firstly identified in 2014, have altered their apps’ packing in such a manner that it easily and successfully passes through Google Bouncer, the vetting system of Google Play Store.
MKero malware is CAPTCHA-evading software that can defraud its victims, claims senior e-threat analyst at BitDefender, Liviu Arsene.
Arsene stated that at least seven apps available on Google Play Store contain MKero malware because its creators found out the requirements of Google Bouncer for accepting apps.
It must be noted that the automated vetting system accepts applications according to a pre-set criteria.
According to Arsene,
“The developer kept submitting the code to [Google Bouncer] and it wasn’t picked up.”
Arsene also added that the apps’ code is the primary location where the entire malicious activity is conserved and obscured. As soon as the app makes it to the Play Store, the creators start pushing its updates.
How MKero Works?
The malware kicks itself into action soon after a user downloads and installs an apparently benign gaming application. MKero then introduces a premium SMS subscription service website into the device. This website contains CAPTCHA, which is then extracted by MKero and sent over to Antigate. Antigate is a firm that promises CAPTCHA image verification and its real-time translation.
When the verification is received back, MKero malware effectively signs up the victim for the service by entering on the SMS subscription website. Usually, the cost of such subscriptions is around 50cents/month.
50cents sound like peanuts, but Arsene pointed out that this amount often goes undetected in your monthly mobile bills. Now, when an app has been downloaded and installed hundreds of thousands of times, this meager amount becomes worthwhile for the creators of such apps. For instance, if the app has 50,000 installs, then the perpetrators actually would be raking in $250,000/month only by operating on a referral bonus from the SMS subscription provider.
These premium text notification, obviously, aren’t ever received or acknowledged by the victim since the malware operates under administrator privileges and easily blocks SMS service notifications.
However, the app does need permission before being downloaded, therefore, reiterates Arsene, the significance of checking out and reading the permission page is paramount.
“Definitely always go through permissions. It doesn’t matter if you download through Google Play,” said Arsene.
Android is the most vulnerable OS
According to sources at BitDefender, one of the developers known as Like Gaming, has published more than one applications containing this malware. However, the developer didn’t include the malware in all of the versions.
This is not the first time when a malware embedded Android app made it to Google Play store. In the past, a Fake BatteryBot Pro app was available on the store developed with the intention to hack users’ device.