Kaspersky, a renowned cybersecurity firm, has recently revealed the presence of a new Trojan family named Fleckpe, specifically designed to target users of the Google Play platform. This subscription Trojan spreads through seemingly harmless photo editors and wallpaper apps, deceiving unsuspecting users into subscribing to paid services without their knowledge. Since its detection in 2022, Fleckpe has infected over 620,000 devices worldwide.
The Google Play Store occasionally becomes a breeding ground for malicious applications that initially appear harmless. Among these threats are subscription Trojans, notorious for their deceptive tactics. They often go undetected until victims discover unauthorized charges for services they never intended to purchase. Notable examples include the Jocker and Harly families, which have infiltrated the official Android app marketplace.
Kaspersky’s latest discovery, the Fleckpe Trojan family, is spread through Google Play disguised as photo editors, wallpaper packs, and other similar applications. Once installed, it covertly subscribes the user to paid services without their consent.
According to Kaspersky’s research, Fleckpe has been active since 2022, with at least eleven infected apps identified. These apps had already been removed from the marketplace by the time Kaspersky published its report. However, there is a possibility that cybercriminals will continue to deploy this malware through other apps, suggesting that the actual number of infections could be higher.
The infected Fleckpe app initiates a heavily obfuscated native library containing a malicious dropper responsible for decrypting and executing a payload from the app’s assets. This payload establishes a connection with the attackers’ command-and-control server, transmitting device information such as country and carrier details. Subsequently, a paid subscription page is presented, and the Trojan secretly launches a web browser to subscribe the user to the paid service without their knowledge. If the subscription requires a confirmation code, the malware accesses the device’s notifications to obtain it.
Notably, the Trojan carries out these unauthorized subscriptions while the app’s original functionality remains unaffected. Users can continue using the app for photo editing or setting wallpapers, oblivious to the fact that they have been charged for a service they never intended to acquire.
Kaspersky’s telemetry data indicates that the malware primarily targeted users in Thailand, with additional victims found in Poland, Malaysia, Indonesia, and Singapore.
Dmitry Kalinin, a security researcher at Kaspersky, expressed concern about the increasing popularity of subscription Trojans among fraudsters. Cybercriminals have turned to official marketplaces like Google Play to distribute their malware, taking advantage of the Trojans’ growing complexity to evade detection for extended periods. Affected users often remain unaware of the unauthorized subscriptions and the means through which they were initiated, making subscription Trojans a lucrative source of illicit income for cybercriminals.
To protect against subscription malware, Kaspersky experts recommend the following preventive measures:
- Exercise caution when downloading apps, even from reputable sources like Google Play. Always review the permissions requested by installed applications, as some may pose security risks.
- Install a reliable antivirus product capable of detecting and removing such Trojans from your mobile device, such as Kaspersky Premium.
- Avoid installing apps from third-party sources or using pirated software. Attackers exploit users’ inclination for freebies by embedding malware in cracks, cheats, and mods.
- If subscription malware is detected on your phone, promptly uninstall the infected app or disable it if it came preinstalled.
25 May 2023
