Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Dark Reading
Dark Reading
Products and Releases

Sophisticated CAPCHA-Bypassing Malware Found in Google Play, According to Bitdefender Researchers

A sophisticated CAPCHA-bypassing Android malware has been found harbored in Google Play apps seeking to covertly subscribe thousands of users to premium-rate services.

Identified by Bitdefender as Android.Trojan.MKero.A, the malware was first spotted in late 2014, but was only distributed via third-party marketplaces or local popular social networks in Eastern Europe. One of the most affected countries was Russia.

At the time, Bitdefender was conducting its own research into the malware’s behavior and found that recent versions had stopped using the highly advanced packer - that eased its detection – but still uses obfuscated strings.

Current Capabilities

This is the malware’s first occurrence in the official Google Play store, suggesting its developers found new ways of packing it into seemingly legitimate apps that can bypass Google Bouncer - the Google’s vetting system.

The Trojan’s sophistication lies in its ability to bypass CAPCHA authentication systems by redirecting these requests to an online image-to-text recognition service, Antigate.com. Because the online service relies on actual individuals to recognize CAPPCHA images, requests are sent back to the malware within seconds so that it can proceed with the covert subscription process.


The Trojan relies on a Command and Control (C&C) infrastructure to receive configuration settings about desired subscription services and relay received SMS messages. The subscription procedure involves the following steps:

·         Loading a target website received from the C&C server;

·         Extracting CAPCHA image and sending it for image-to-text recognition;

·         Loading the CAPCHA code on the targeted website;

·         Parsing SMS code for code or activation link;

·         Loading activation link;

·         Sending confirmation SMS;

·         Loading website with SMS code.

To further complicate analysis of the malware, its developers used obfuscation tools to hide classes, functions and C&C servers from where it receives commands and instructions.

After analyzing a list of seven malware-harboring Google Play applications, a list of 29 randomly generated C&C servers names were pulled from a single sample that did not have encrypted strings. If any one of these locations becomes unresponsive –due to a takedown or any other reason – the malware on any infected device will automatically try to connect to the next C&C server in the preconfigured list and wait for instructions.


Among Google Play apps that disseminate the Trojan, two have between 100,000 and 500,000 installs each, raising the potential victim count to staggering numbers.

For each of the applications found in Google Play, we also analyzed previous versions to discern if they had just been recently weaponized or had been hiding in plain sight for while. Our findings confirmed that several go back at least five iterations, meaning they have been in the official Google Play marketplace for a long time  - exhibiting malicious behavior - and have been constantly updated.

At least one developer, by the name of “Like Gaming,” has been found publishing more than one of these malicious apps. However, he has stopped using the Trojan in certain versions of his application.

Here’s the list of the malicious apps that at the time of writing have been found in Google Play, along with the MD5 for each version known to have harbored the same malicious behavior:


1.       com.irontubegames.tower3d    

Version: 8 1.0.8 – MD5: c8455e21d9768d5976fdfe867605a8de

2.       com.likegaming.rd            

                Version: 3 1.3 – MD5: e3b1ecb491ecf424358ead583b21d8f6

                Version: 5 1.5 392d9472352a1af31acde7cbb26c854e

3.       com.likegaming.gtascs        

                Version:  1 1.0 – MD5: 14cdf116704af262174eb0678fd1b368

4.       com.likegaming.rcdtwo        

                Version: 4 1.3 – MD5: 869624aeef3a9c848ed4e657dc852fff

                Version: 7 1.6 - MD5: 39b84a45e82d547dc967d282d7a7cd1e

                Version: 5 1.4 - MD5: 3692d7b6e121d36106f808622cdd52e7

5.       com.likegaming.rcd

                Version: 10 1.8 – MD5: 0460d0a51dcf3e4b16c2303d5c36e0ee

                Version:  6 1.4 – MD5: 569c4a7a0309477c7b17fb549b4a956a

                Version:  7 1.5 – MD5: f6c0409fffa4a8f5ca6b4f444bae297c

                Version:  8 1.6 – MD5: df32f9d5ff0572a8f40d8d9edadb1968

                Version:  9 1.7 – MD5: 61f0c2e4eaa49dd49c43f2caef83b1bf

6.       com.likegaming.ror           

                Version:  9 MD5: 7238fc5f14bdee958c7b41b13d6f3ca8

                Version: 10 MD5: 69820ddcab4fe0c6ff6a77865abf30b9

7.       com.uberspot.a2048mk

    Version: 19 1.96 - MD5: 72ba0eef80e7abe28ff8ab40ffb301d2



If each victim has been subscribed to at least one premium-rated number that charges a minimum $0.5 per SMS each month, the total financial losses could amount to $250,000 and more.

Considering the malware has been built with convert capabilities to operate completely silent on the victim’s Android device, user detection and removal is extremely difficult. To this end, a mobile security solution needs to be installed on the device to identify malicious applications – regardless from where they have been downloaded – and block threats from causing irreparable financial harm or personal data loss.

At the time of writing, Google has been notified of the existence of these malicious apps in Google Play. 


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...