MMarketPay trojan infected over 100,000 Android users and bought paid apps without consent

Android Trojan MMarketPay

Here we are with a new Android trojan in the wild, which has already proven to be very successful in China. The trojan is able to automatically buy paid apps without the issue noticing anything.

The MMarketPay trojan has already infected 9 Android app stores and it comes along with many apps that seem legit. The trojan buys paid apps from China Mobile’s Market. The China Mobile Market sends a verification SMS prior to the purchase, though the trojan gets the code from the SMS, uses it on the Market and deletes the SMS.

MMarketPay is even able to complete captcha codes by sending them to a remote server, that sends back the verification. More than 100,000 people have been infected and had their accounts billed.

Fortunately the trojan hasn’t reached Google Play Store yet, though it should be an alarm signal for the entire Android environment. We’ve been seeing many trojans spreading around Android devices lately, though Google’s Play Store has been better protected than others.

At the moment there doesn’t seem to be anything the users can do, except from being very careful what apps they install. The MMarketPay trojan has been identified to come bundled with Weather, travel and streaming apps, among others.

According to TrustGo mobile security company, it’s unlikely for the virus to spread out of China, though the M-Market has over 149 million users, so the trojan does have a lot of targets in China alone.