Trojan bypasses captcha to dupe users

A new malware targeting android users have been identified which has the power to bypass user verifications to subscribe people into premium services.
The malware, identified as Trojan-SMS.AndroidOS.Podec can bypass captcha verification or advice of charge (this notifies users regarding charges and seeks payment authorization) and send messages to premium numbers or subscribe users to premium rate services.
The captcha recognition part is what makes this Trojan so devious, the malware communicates with an image to text translation provider called Antigate where a human translates the image for the captcha to text and relays it. The text is then inserted into the actions field, the verification thus happens without user consent and can be exploited to extort money regularly in a covert fashion. The users would have a hard time pointing the source for deduction in accounts.
Till now, it has been circulating in Russia and its neighbouring countries with the infection originating from servers of popular Russian networking site VKontakte or domains with imposing names like Apk-downlad3.ru, minergamevip.com, etc.
The malware is mostly spread through a number of groups on the social networks, all of which makes posts or give links providing cracked versions of popular android games. These groups are similarly managed with the same administrator.
The usage of keywords in descriptions of the groups, hosting of  fake sites all which are based on one idea places the group or sites at top of search results, indicating involvement of black SEO specialists.
Kaspersky Lab's analysts analysed the Trojan which in one case was masquerading as 'Minecraft Pocket Edition'. It operates on the notion that the users are guided by the lightness of the app to download it.
On launch, the application asks for administrator privileges, which if granted makes it impossible to be deleted by the user or a security solution. If the user rejects the request, the Trojan is repeated till privilege is granted. After receiving administrator privileges, the legitimate mine craft is downloaded. After installation the Trojan removes its own shortcuts, replaces it with the Minecraft shortcut and erases traces from the device administrator list. If somehow the users try to delete it, the mobile shuts down or screen locks or shows other erratic behaviour. The Trojan has the further potential to exploit super-user privileges, which some users might have.
Analysis of the malware shows diligent effort on the part of the cybercriminals. They have introduced garbage classes and obfuscation into the code and have also used an expensive legitimate code protector to make the access to the source code difficult. Moreover, while communicating for instructions the Trojan uses an adaptive list of control and command domains, thus even if one domain is blocked under suspicion others can be used. 
It is suspected that the Trojan is undergoing further development with newer capabilities being added.
In light of such circumstances as a user it is best to be wary of free services, avoiding suspicious links and downloading only from official sources like Google Playstore.
(For more information visit SecureList.)

4 Cybercriminals from Vietnam arrested for using SMS malware to earn $100,000


Image Credits: Hanoimoi
Vietnam Police have arrested four individuals accused of stealing approximately $100,000 by infecting more than 100,000 mobile devices with a premium-rate SMS sending virus.

The suspects are identified as 23 year old Ha Xuan Tien, 24-year-old Nguyen Duc Luc, 25-year-old Nguyen Van Tu, 29-year-old Tran Ngoc Hai, according to Tuoitrenews.

The malicious applications which was used by suspects to infect users are said to be distributed via websites like "soundfest.com.vn", "clickdi.com". 

Once the malicious application infects a smart phone, the app will automatically send SMS messages to premium rate numbers.  Premium rate numbers allows the owner to earn money from incoming calls and SMS.

The victim will lose 15,000  Vietnamese Dong($0.71 in USD), after each message is sent from their device to these premium rate numbers.

Using this method, the cyber criminals manged to earn more than 2.1 Billion Vietnamese Dong($98,700 in USD) since late 2013.

SMS Trojans target users from a number of European countries and Canada

Denis @Kaspersky Lab discovered a SMS Trojan that target users from a number of European countries and Canada.  According to the messages found on Internet forums, the first infections were reported in early September.

One of the Victim downloaded an application to monitor his own messages, calls and traffic. After launching this application , it displayed message that it was not compatible with the user’s Android version. And then the user’s mobile account was emptied.  This app turned up to be an SMS Trojan which sends 4 SMS messages to premium rate numbers. Kaspersky detect it as "Trojan-SMS.AndroidOS.Foncy" malware.

The main menu of smartphone after the infection:


This Trojan is distributed via a file hosting website with the name "SuiConFo.apk".

There are 2 main malicious classes of this Trojan: ‘MagicSMSActivity.class’ and ‘SMSReceiver.class’. The first is mainly responsible for sending SMS messages, while the second is used to hide incoming messages from specific numbers.

"Unfortunately, today SMS Trojans are one the easiest ways for cybercriminals to make easy money fast. Malicious use of premium rate SMS services is spreading around the world, and I’m pretty sure it’s not going to stop any time soon. We’ll keep you posted. " said Denis