According to data collected with the help of the Kaspersky Security Network, Podec targets Android device users primarily through Russia’s popular social network, VKontakte (VK, vk.com). Other sources discovered by Kaspersky Lab include domains with the names of Apk-downlad3.ru and minergamevip.com. Most victims to date have been detected in Russia and surrounding countries.
Infection generally occurs through links to supposedly cracked versions of popular computer games, such as Minecraft Pocket Edition. These links appear on group pages and victims are drawn in by the lack of cost and what appears to be a far lower file size for the game when compared to the legitimate version. Upon infection, the Podec malware requests administrator privileges that, once granted, make it impossible to delete or halt the execution of the malware.
CAPTCHA image recognition requests are increasingly added to online forms to ensure the request is submitted by a person and not automated software. Podec passes CAPTCHA by redirecting the CAPTCHA processor to an online image-to-text recognition service, Antigate.com. Within seconds the text from the CAPTCHA image is recognized by a person and the details are relayed back to the malware code, which can then proceed with execution.
Further, the Trojan employs highly sophisticated techniques to prevent any analysis of its code. As well as introducing garbage classes and obfuscation into the code, the cybercriminals use an expensive legitimate code protector which makes it difficult to gain access to the source code of the Android application.
Kaspersky Lab believes that the development of the Trojan is ongoing; that the code is being refactored, new capabilities are being added, and module architectures are being reworked.
Kaspersky recommends that Android users only install applications sourced from official stores such as Google Play, and avoid downloading cracked apps advertised as being free of charge.