lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

CAPTCHA-bypassing malware on Android apps found in Google Play Store

Researchers found advanced CAPTCHA-bypassing malware on Android apps in the official Google Play Store, but Google downplayed the impact.

Researchers found advanced Android malware that had been hiding in multiple apps for an extended time in the official Google Play Store, but it is unclear how much damage the malware caused.

Liviu Arsene, senior e-threat researcher for Romania-based antimalware firm Bitdefender, said the malware -- identified by Bitdefender as Android.Trojan.MKero.A -- was sophisticated enough to bypass CAPTCHA tests by using a human-powered, online, image-to-text recognition service,, and then subscribe users to premium-rate services.

According to Arsene, the malware on Android apps were first discovered in late 2014, and distributed through third-party Android app stores and via social networks in Eastern Europe. Bitdefender found the malware in apps listed in the Google Play Store recently, and the malware was discovered in previous iterations of some of the apps going back as many as five versions.

The apps were able to bypass Google's Bouncer security tool, which automatically scans for malware on Android apps that are submitted to the Google Play Store. But Arsene said the findings were not reported to Google until Sept. 4. Google said in a statement to TechTarget that malware on Android apps in the Google Play Store are very rare.

"Over 1 billion devices are protected with Google Play, which conducts 200 million security scans of devices per day," Google said in its first Android Security Report. "Fewer than 1% of Android devices had a Potentially Harmful App installed in 2014, and fewer than 0.15% of devices that only install from Google Play had a Potentially Harmful App installed."

Since that time, Google has removed the infected apps from the Play Store. Google said that when malicious apps are found, it has the capability to remotely disable them on user devices.

Arsene noted that some of the malicious apps had between 100,000 and 500,000 installs, according to the Google Play Store statistics, but it is unclear how many of those downloads included the malware and how many installs stayed on user devices.

Google also confirmed that another security component of Google Play services, Safety Net, should have been able to capture and block unauthorized communications between the malware and command and control servers.

Arsene told TechTarget that he gives the benefit of the doubt to the malware developers.

"It's safe to assume that the developer tested the malware before uploading it to Google Play, in order to make sure that it will 'fly under the radar' from Google's vetting tools," Arsene said. "As previously mentioned, because the malware has been found in the wild since late 2014, it's likely that until now, it has been 'under development' [or in beta testing], so that it could now safely reach Google Play."

Next Steps

An expert discusses the rising mobile malware risk and Android malware.

How to remove recurring Android malware.

Keep your mobile security strategy current.


Dig Deeper on Mobile security threats and prevention