Researchers identified a new malware family infecting apps that were available for download on the official Google Play store and have been installed on more than 620,000 Android devices.
Calling it “Fleckpe” in a May 4 blog post, Kaspersky researcher Dmitry Kalinin described the trojan as a subscription-based app that usually goes unnoticed until the victim discovers they’ve been charged for services they did not purchase.
The Fleckpe malware has been spread via Google Play in photo editing apps and smartphone wallpaper packs, Kalinin continued, and has been active since 2022. All 11 apps infected apps were removed by the app store, but researchers suggested the malware could be more pervasive and still active.
Upon starting, the app “loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app asset.” The payload sends the command-and-control server the infected device’s country code and mobile carrier.
The command-and-control server then sends a paid subscription page, which the trojan opens in an invisible web browser to attempt to subscribe the user, which the malware will get a confirmation code, if needed, from notifications. After completing the subscription process, the victim uses the app’s legitimate functionality none the wiser.
Recent versions of the Fleckpe trojan upgraded the native library by moving most of the subscription code there to make it more difficult to detect.
Kalinin noted that many of the reviews for the infected apps came from reviewers in Thailand, but Kaspersky’s telemetry also showed victims in Poland, Malaysia and Singapore. He also noted that the operators of the trojan are increasingly turning to official marketplaces like Google Play to spread, and recommended users to be cautious when installing apps.