The malware, identified as Trojan-SMS.AndroidOS.Podec can bypass captcha verification or advice of charge (this notifies users regarding charges and seeks payment authorization) and send messages to premium numbers or subscribe users to premium rate services.
The captcha recognition part is what makes this Trojan so devious, the malware communicates with an image to text translation provider called Antigate where a human translates the image for the captcha to text and relays it. The text is then inserted into the actions field, the verification thus happens without user consent and can be exploited to extort money regularly in a covert fashion. The users would have a hard time pointing the source for deduction in accounts.
Till now, it has been circulating in Russia and its neighbouring countries with the infection originating from servers of popular Russian networking site VKontakte or domains with imposing names like Apk-downlad3.ru, minergamevip.com, etc.
The malware is mostly spread through a number of groups on the social networks, all of which makes posts or give links providing cracked versions of popular android games. These groups are similarly managed with the same administrator.
The usage of keywords in descriptions of the groups, hosting of fake sites all which are based on one idea places the group or sites at top of search results, indicating involvement of black SEO specialists.
Kaspersky Lab's analysts analysed the Trojan which in one case was masquerading as 'Minecraft Pocket Edition'. It operates on the notion that the users are guided by the lightness of the app to download it.
On launch, the application asks for administrator privileges, which if granted makes it impossible to be deleted by the user or a security solution. If the user rejects the request, the Trojan is repeated till privilege is granted. After receiving administrator privileges, the legitimate mine craft is downloaded. After installation the Trojan removes its own shortcuts, replaces it with the Minecraft shortcut and erases traces from the device administrator list. If somehow the users try to delete it, the mobile shuts down or screen locks or shows other erratic behaviour. The Trojan has the further potential to exploit super-user privileges, which some users might have.
Analysis of the malware shows diligent effort on the part of the cybercriminals. They have introduced garbage classes and obfuscation into the code and have also used an expensive legitimate code protector to make the access to the source code difficult. Moreover, while communicating for instructions the Trojan uses an adaptive list of control and command domains, thus even if one domain is blocked under suspicion others can be used.
It is suspected that the Trojan is undergoing further development with newer capabilities being added.
In light of such circumstances as a user it is best to be wary of free services, avoiding suspicious links and downloading only from official sources like Google Playstore.
(For more information visit SecureList.)