Kaspersky researchers have discovered a new Trojanfamily that targets Google Play users. The subscription Trojan, dubbed Fleckpe, spreads via photo editors and wallpapers, subscribing the unaware user to paid services. Fleckpe has infected more than 620,000 devices since it was detected in 2022, with victims around the globe.
From time to time, malicious applications are uploaded to Google Play Store, which may appear benign at first. Among these are subscription Trojans, which are some of the trickiest. They will often go unnoticed until the victim sees that they have been charged for services they never intended to buy. This type of malware often finds its way into the official marketplace for Android apps. Two recent examples were the Jocker family and the recently discovered Harly family .
The new Trojan family, “Fleckpe”, Kaspersky's latest discovery that spreads via Google Play under the guise of photo editors, wallpaper packs and other apps. In fact, it subscribes to the unwitting user to paid services.
Kaspersky's data suggests that the Trojan has been active since 2022. Company's researchers have found at least eleven apps infected with Fleckpe, which have been installed on more than 620,000 devices. Although the apps had been removed from the marketplace by the time the Kaspersky report was published, it is possible that cybercriminals will continue deploying this malware in other apps. This means the real number of installations is likely to be higher.
Alongside its legitimate functionality, the Fleckpe-infected app runs concealed code that enables fraudsters to send device information, such as country and carrier details, to their server. Based on this information, the server responds with a subscription page. Then malware then is able to secretly launch the received page in a web browser and subscribe the user to a paid service without their knowledge. If a confirmation code is necessary, the malware obtains it by accessing the device's notifications.
Thus, the Trojan subscribes the users to a paid service without their consent, resulting in the victim losing money. Interestingly, the app's functionality remains unaffected, and users can continue to edit photos or set wallpapers without realizing that they have been charged for a service.
Kaspersky telemetry shows that the malware targeted users mainly from Thailand, although there are also victims found in Poland, Malaysia, Indonesia and Singapore.
“Sadly, subscription Trojans have only grown in popularity with fraudsters lately. The cybercriminals using them have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected usersoften fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place. “All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals ,” commented Dmitry Kalinin, security researcher at Kaspersky.
Learn more about Fleckpe malware on Securelist.com here .
To avoid being infected by a subscription malware, Kaspersky experts recommend:
- Be cautious with apps, even those from legitimate marketplaces like Google Play and remembering to check which permissions you give installed applications – some of them may pose a security risk
- Install an antivirus product capable of detecting these types of Trojans on your phone such as Kaspersky Premium.
- Do not install apps from third-party sources, or pirated software. Attackers are aware of people's craving for all things free, and they exploit it through malware hidden in cracks, cheats, and mods.
- In case subscription malware is detected on your phone, immediately remove infected app from your device, or disable it if it is preinstalled.
