Kaspersky discovers a new Malware targeting Google Play users

Kaspersky-trojan-malware-google-play-store

Kaspersky researchers have discovered a new Trojan family that targets Google Play users. The subscription Trojan, dubbed Fleckpe, spreads via photo editors and wallpapers, subscribing the unaware user to paid services. Fleckpe has infected more than 620,000 devices since it was detected in 2022, with victims around the globe.

From time to time, malicious applications are uploaded to Google Play Store, which may appear benign at first. Among these are subscription Trojans, which are some of the trickiest. They will often go unnoticed until the victim sees that they have been charged for services they never intended to buy. This type of malware often finds its way into the official marketplace for Android apps. Two recent examples were the Jocker family and the recently discovered Harly family.

The new Trojan family, “Fleckpe”, Kaspersky’s latest discovery that spreads via Google Play under the guise of photo editors, wallpaper packs and other apps. In fact, it subscribes the unwitting user to paid services.

Kaspersky’s data suggests that the Trojan has been active since 2022. Company’s researchers have found at least eleven apps infected with Fleckpe, which have been installed on more than 620,000 devices. Although the apps had been removed from the marketplace by the time the Kaspersky report was published, it is possible that cybercriminals will continue deploying this malware in other apps. This means the real number of installations is likely to be higher.

The infected Fleckpe app launches a heavily obfuscated native library that contains a malicious dropper responsible for decrypting and running a payload from the app’s assets. This payload establishes connection with the attackers’ command-and-control server and transmits information about the infected device, including the country and carrier details. After that, a paid subscription page is provided. The Trojan then secretly launches a web browser and attempts to subscribe to the paid service on the user’s behalf. If the subscription requires a confirmation code, the malware accesses the device’s notifications to obtain it.

Thus, the Trojan subscribes the users to a paid service without their consent, resulting in the victim losing money. Interestingly, the app’s functionality remains unaffected, and users can continue to edit photos or set wallpapers without realizing that they have been charged for a service.

Kaspersky telemetry shows that the malware targeted users mainly from Thailand, although there are also found victims in Poland, Malaysia, Indonesia and Singapore.

“Sadly, subscription Trojans have only grown in popularity with fraudsters lately. The cybercriminals using them have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place. All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals,” commented Dmitry Kalinin, security researcher at Kaspersky.

To avoid being infected by a subscription malware, Kaspersky experts recommends the following:

  • Be cautious with apps, even those from legitimate marketplaces like Google Play and remembering to check which permissions you give installed applications – some of them may pose a security risk
  • Install an antivirus product capable of detecting these types of Trojans on your phone.
  • Do not install apps from third-party sources, or pirated software. Attackers are aware of people’s craving for all things free, and they exploit it through malware hidden in cracks, cheats, and mods.
  • In case subscription malware is detected on your phone, immediately remove infected app from your device, or disable it if it is preinstalled.

Leave a Reply