The first malware capable of bypassing Captcha image recognition systems has been found targeting Android devices.
Researchers at Kaspersky Lab reported finding the Trojan-SMS.AndroidOS.Podec (Podec) trojan, claiming that it can successfully dupe Captcha online defence services into thinking it is human.
The malware is believed to have been active since late 2014, and has already subscribed “thousands of infected Android users” to premium-rate services.
Podec bypasses Captcha by automatically forwarding requests in real time to Antigate.com, a human translation service.
Kaspersky said that the service translates the texts from the Captcha image “in seconds” before relaying it back to the malware code, which can then fill in the request.
As an added defence Podec can bypass the Advice on Charge system that notifies users about the price of a service and requests authorisation before allowing payments. This means that people are not alerted when they are signed up to a premium-rate service.
The group behind Podec is spreading the malware via links to fake ‘cracked’ versions of popular games on social networks.
Once clicked, the links install Podec which in turn requests administrator privileges. If this is granted Podec is impossible to delete, according to Kaspersky.
The Kaspersky researchers said that key details about Podec remain unknown as it uses highly sophisticated techniques to prevent any analysis of the code.
These include “introducing garbage classes and obfuscation into the code”, and an “expensive” legitimate code protector that stifles researchers’ ability to examine, or pull, the source code.
Victor Chebyshev, research group manager at Kaspersky Lab, explained that the malware’s sophisticated nature indicates that it is being developed by an all-star group of cyber criminals, although it is too early for full attribution.
“The social engineering tools used in its distribution, the commercial-grade protector used to conceal the malicious code and the complicated process of extortion achieved by passing the Captcha test all lead us to suspect that this trojan is being developed by a team of Android developers specialising in fraud and illegal monetisation,” he said.
He added that Podec is likely to be a work in progress and that new functions and variants will appear in the near future.
“It is clear that Podec is being further developed, possibly with new targets and goals in mind, and we urge users to be wary of links and offers that sound too good to be true,” he said.
Podec’s discovery has sent ripples through the security community. Lancope CTO TK Keanini said that the malware is a sign that hackers are reacting to security professionals’ efforts against them.
“I think this is a great example of how security is a game of innovation. Each side co-evolves with one another,” he said.
“We must go back and remember why Captcha countermeasures were invented: to kill attackers’ automation and force them to scale back to manual and human-assisted techniques.
“In other words, successful machine-to-machine automation needed to be defeated at this stage of the process.”
Wim Remes, strategic services manager at Rapid7, agreed, adding that the malware’s discovery should act as a reminder to web users that “free does not necessarily mean free”.
“Podec does not use an innovative attack method. The user still needs to download the application and grant privileges to it,” he said.
“The lessons we are reminded of once again are as simple as they are worth repeating: do not be tempted by offers that seem too good to be true.
“Only download products from reputable application stores and review privilege application requests upon installation.”
The Podec malware follows wider concerns about Android application security. IBM researchers reported on Wednesday uncovering a flaw in the Dropbox software development kit used by many popular Android applications.