Mean SMS Trojan Bypasses CAPTCHA and Steals Money

March 17, 2015

Kaspersky Lab experts have detected a new dangerous malware that aims to steal money from fans of pirated content. Podec Trojan uses black hat SEO techniques and popular social networks (in particular, famous originally Russian social network VKontakte also known as VK.com) to infect Android smartphones and steal money.

Mean SMS Trojan Podec Bypasses CAPTCHA and Steals Money

To spread Podec, hackers created numerous groups on VKontakte and uploaded the app under the guise of popular mobile games, like Minecraft. The criminals worked hand-in-hand with SEO specialists to attract users to fake fan groups.

When launched, the malicious application requests device administrator privileges. When a user agrees, they no longer can remove the malware from the infected device. If the user rejects the request, the Trojan keep repeating it until the privilege is granted. In fact, this process effectively blocks the normal use of the device.

Then the app downloads and installs the legitimate Minecraft app, deletes its shortcut from the apps list, and replaces it with the real Minecraft shortcut.

A successfully installed Trojan has a few scenarios to follow. It can turn a phone into a part of a botnet to launch a DDoS attack, which is bad for several reasons: First, your phone is used to commit a crime. Secondly, the villainous bot uses phones resources, including paid internet traffic.

The Trojan can also use your phone to ramp up a website’s visitor counters. Of course, in this scenario a victim will have to pay for Internet traffic as well.

In the third scenario, the worst for particular users, Podec subscribes the phone number to paid content that can be rather expensive (the cost of one SMS varies from $.5 to $10). As the money is deducted covertly, and on a regular basis, those users who are already subscribed to several services can spend a lot of time and effort trying to find out how their money is leaving their accounts and where it’s going.

It’s worth noting that a Trojan can successfully bypass a CAPTCHA challenge-response test that was initially designed to distinguish a human from robot. For that purpose, Podec uses a particularly inventive technology: It passes CAPTCHA requests to an Indian real-time image-to-text recognition service called Antigate.com. This service works as a call-center. Within seconds, a person recognizes a CAPTCHA request and sends the right answer back to Podec. It’s the first Trojan that has acquired such an ‘out of the box’ solution to the solved CAPTCHA challenge.

[Pullquote]The mean app can brilliantly conceal traces of its crime and remove call records and messages from the phone.[/Pulquote]

The mean app can brilliantly conceal traces of its crime and remove call records and messages from the phone.

You can find out more about Podec from this detailed review on Securelist.

Kaspersky Lab experts have tracked this SMS Trojan since the end of the last year as it used highly sophisticated techniques to prevent any analysis of its code. In early 2015, our analysts intercepted a full-fledged version. The new Trojan seems to be under on-going development and it’s quite possible there will be a new, even more dangerous version of Podec on the web soon.

There is good news. VKontakte management board claims the company has removed some of the fake groups from its site (but there’s no guarantee all of them are gone). All users of Kaspersky Internet Security for Android are not at risk: They are already protected from all known modifications of Podec.

google play

Kaspersky Lab recommends all users install apps only from legal stores.