SMS Trojan Podec bypasses CAPTCHA on Android phones

Do you use SMS on you phone? Almost everyone does, and malware writers haven’t overlooked that. Late last year, hackers used a malicious program called Podec (Trojan-SMS.AndroidOS.Podec) to infect Android devices. It was cleverly disguised to prevent analysis and detection, and once the malware gained control of a victim’s device, it would use it as a part of a massive botnet to launch DDoS attacks. Or even worse: sign up for premium paid subscriptions by abusing the SMS verification system. Now, a much more evolved version of the original threat has been discovered: one that can even bypass online image-based verification system CAPTCHA.

Trojan requests administrative priviliges to subscribe to paid services

To spread Podec, hackers primarily used the popular Russian social network VKontakte, also known as VK.com. The cyber criminals made clever use of SEO (Search Engine Optimization) to catch the attention of innocent users through fake fan groups, in where they posted links to the malware cloaked as popular mobile games, like Minecraft.

13062544_sUpon launch, the malicious program asks the user for elevated (administrator) privileges. Denying the request does not help, since the message keeps repeating until the user complies, which effectively blocks the use of the device. Once the privileges have been granted, the legitimate application is downloaded and installed, which seems harmless enough. But closer inspection reveals that the program continues to enjoy administrator privileges even after the installation, which it can use for its malicious activities. Any attempt to deactivate these privileges results in uncanny behavior, such as the screen turning off and on without any confirmation of the requested change. Once rooted in the system, the malicious program is difficult to remove as the delete option for the app is also disabled.

The malicious operations performed by this Trojan include making the device part of a massive botnet that can launch a DDoS attack, and making unauthorized premium subscriptions that can end up costing the user a lot of money.

What makes this Trojan so dangerous?

Subscriptions of service providers usually involve visiting a web resource and entering the mobile number of the customer, after which an SMS is sent to the user for confirmation. These requests usually also involve CAPTCHA authorization, a test designed to tell if a user is human or a bot. The Podec Trojan has developed a technique to convince CAPTCHA it is a person, thereby bypassing the CAPTCHA security system. The malware also uses expensive, legitimate code protector which makes it very difficult for it to be analysed or reverse-engineered. It can delete call logs and messages making its actions hard to detect as well. This is reportedly the first mobile malware that can bypass CAPTCHA without any external tools.

According to Kaspersky Lab, this Trojan may have been developed by a team of Android developers specializing in illegal monetisation:

“The social engineering tools used in its distribution, the commercial-grade protector used to conceal the malicious code, and the complicated process of extortion achieved by passing the CAPTCHA test – all lead us to suspect that this Trojan is being developed by a team of Android developers specializing in fraud and illegal monetisation. It is clear that Podec is being further developed, possibly with new targets and goals in mind, and we urge users to be wary of links and offers that sound too good to be true.”

It’s advised to only download apps from official app stores, such as Google Play. Mobile malware is growing, which means having an up to date security application on your smartphone is of utmost importance. Emsisoft Mobile Security is a complete solution that can keep your Android device well out of the reach of such notorious cyber criminals.

Have a nice (malware-free) day!