While the Google Play store never garnered the AppStore’s reputation for security, Google Bouncer has evolved to the point where most apps up for sale are both clean and legitimate. According to SecurityWatch, however, a new malware variant is taking the fun out of downloading new applications: Infected apps carrying Android.Trojan.MKero.A have been spotted in the store and now come with the ability to avoid CAPTCHA security measures and launch a concealed subscription service. How do users stay safe?

CAPTCHA Conundrum

Sure, CAPTCHA isn’t perfect, but there’s a lot to recommend about the process since it screens out virtually any automated process trying to cross secure barriers. It’s also simply not worth attackers’ time to develop a code-based solution to replicate human image recognition. As noted by the Security Watch piece, however, it’s absolutely worth their time to leverage services like Antigate.com, which relies on users to recognize the characters in CAPTCHA images and send back the results. Packaged along with Android.Trojan.MKero.A, it’s possible for malicious actors to approve subscription-based SMS services on victims’ phones and start running up the charges; Bitdefener estimated that total financial losses could reach $250,000.

Of course, getting this malware onto phones means getting it into the Google Play store. Security experts still aren’t sure about the exact transport mechanism but speculate that code sophistication has now increased to the point where Bouncer is unable to tell the difference between legitimate offerings and aggressive Trojans. So far, apps that carry this Trojan have been downloaded hundreds of thousands of times. Worse still, they run completely silent on Android phones, meaning users won’t know they’ve been compromised until big bills start piling up.

No Safe Harbor for Google Play

With malware now sneaking into legitimate app stores, users can no longer rely on manufacturer-gated content to ensure safety. Bitdefender recommended running some type of mobile security solution to identify and report malicious apps, SecurityWatch reported. The problem here is tracking down the right service since some of these so-called security apps are actually malware in disguise or so poorly made that users are better off with no protection whatsoever.

Tech Republic recommended rebooting Android devices in Safe Mode if it becomes clear they’ve been compromised. This is easy: Just hold down the power button, select “Reboot to Safe Mode” and all third-party apps will be disabled, allowing users to purge them from the device.

As noted by Forbes, chipmakers like Qualcomm are also looking at ways to help safeguard devices with the new Snapdragon Smart Protect. Users running a Snapdragon processor get the benefit of active protection, which monitors app behavior and reports any suspicious events — for example, if a user’s screen is turned off but an app is trying to send an SMS message. This could be a sign of malicious activity, and the phone will wake and alert the user.

With Google Play no longer a safe harbor for app purchases, users need to take matters into their own hands. This could mean installing third-party protection apps, rebooting in safe mode or upgrading to a new processor with the hope that on-chip defenses will make up for CAPTCHA-cheating crooks.