CAPTCHA-busting malware wormed its way into apps hosted on Google Play, reaping up to US$250,000 from infected victims.
So says BitDefender which has fingered the "MKero.A" malware as the source of the attack and says it spread across European social networks late last year, hitting Russians hardest, before being turfed out of app stores.
The trojan was woven into legitimate games and has since incorporated sufficient anti-analysis techniques that it again slipped past Google's Bouncer security defences and into the devices of those who downloaded it.
Once installed BitDefender researchers say the malware maintains operates stealthily: users don't know it's there.
Once the malicious app runs it pings command and control servers and signs users up to premium SMS subscriptions. To do that, it needs to crack the CAPTCHAS that such services use to prevent bogus sign-ups.
App actors pay about half a cent for CAPTCHAs to be cracked, thereby disarming premium text services' most common too to prevent abuse.
To do this it uses the image-to-text human slave recognition service antigate.com, a service heavily promoted in cybercrime sites that charges up to $1 for 1000 CAPTCHAS to be solved and pays workers about 35 cents for the work.
It has found great success. Two trojanised apps have been downloaded 100,000 and 500,000 times each "raising the potential victim count to staggering numbers" according to BitDefender researchers.
"The total financial losses could amount to a staggering $250,000 purely from the minimum $0.05 charge by subscribed SMS messages," BitDefender's researchers say.
The white hats at Google have been notified of the existence of these malicious apps in Google Play. ®