Researchers at cybersecurity firm Kaspersky have recently uncovered a new Trojan family that specifically targets users of the popular Google Play platform. Named Fleckpe, this subscription-based trojan spreads through seemingly harmless photo editors and wallpaper apps, subscribing unsuspecting users to paid services without their knowledge or consent. Since its detection in 2022, Fleckpe has infected over 620,000 devices worldwide, leaving victims across the globe in its wake.
Subscription Trojans have become increasingly prevalent among the various types of malicious applications found on the Google Play Store. These Trojans are particularly deceptive because their presence often goes undetected until victims realize they have been charged for services they never intended to purchase. This type of malware has found its way onto the official marketplace for Android apps on multiple occasions. The Jocker family and the recently discovered Harly family serve as two notable examples.
Fleckpe, the latest Trojan family identified by Kaspersky, exploits the Google Play platform by masquerading as legitimate photo editors, wallpaper packs, and other seemingly harmless apps. Once installed, it covertly enrolls unwitting users in paid services without their consent.
According to Kaspersky’s data, this Trojan has been active since 2022. Researchers at the company have identified at least 11 infected apps containing Fleckpe, which have been downloaded onto more than 620,000 devices. Although these apps were removed from the Google Play Store by the time Kaspersky published its report, there is a concern that cybercriminals may continue to deploy this malware through other apps. Therefore, the actual number of installations is likely to be even higher than reported.
The infected Fleckpe app initiates a heavily obfuscated native library upon launch, containing a malicious dropper responsible for decrypting and executing a payload from the app’s assets. This payload establishes a connection with the attackers’ command-and-control server, transmitting information about the infected device, including details such as country and carrier information. The Trojan then proceeds to display a paid subscription page. Subsequently, it discreetly launches a web browser and attempts to subscribe the user to the paid service without their knowledge. In cases where the subscription requires a confirmation code, the malware gains access to the device’s notifications to obtain the necessary code.
This method allows the Trojan to sign up users for paid services without their consent, resulting in financial losses for the victims. Interestingly, the functionality of the infected app remains unaffected, enabling users to edit photos or set wallpapers without realizing that they have been charged for an unwanted service.
Dmitry Kalinin, a security researcher at Kaspersky, emphasized the growing popularity of subscription Trojans among fraudsters. These cybercriminals increasingly exploit official marketplaces like Google Play to distribute their malware. The complex nature of these Trojans enables them to evade many anti-malware checks implemented by the marketplaces, remaining undetected for extended periods of time. Unfortunately, affected users often fail to detect the unwanted subscriptions immediately and struggle to determine how they became subscribed in the first place. This combination of factors makes subscription Trojans a reliable source of illicit income for cybercriminals.
Kaspersky advises Android users to remain vigilant when downloading apps from the Google Play Store. It is crucial to verify the credibility and reputation of the developer before installing any applications. Additionally, users should regularly update their devices with the latest security patches and employ reliable mobile security solutions to safeguard against emerging threats. By adopting these precautions, users can mitigate the risk of falling victim to subscription Trojans and other malicious software targeting their devices on the Google Play platform.
