Fleckpe has unwittingly subscribed to paid services by more than 620 users around the world. Kaspersky researchers have discovered a new family of Trojans targeting Google Play users. Called Fleckpe, following a subscription-based revenue model, this Trojan spreads through mobile apps masquerading as photo editors and wallpaper downloaders, subscribing to paid services without their knowledge. Since it was detected in 2022, Fleckpe has infected more than 620 devices and trapped victims around the world.
Despite all the precautions taken, malicious applications can be uploaded to the Google Play Store from time to time. The most annoying of these are the group subscription-based Trojans. These Trojans subscribing their victims to services they would never have thought of purchasing, without notice, and victims of scams do not realize it until their subscription fee is reflected in their bills. This type of malware often finds itself in the official market for Android apps. Two recently discovered examples of these were the Jocker family and the Harly family.
Kaspersky's latest discovery in this area is the new family of Trojan horses called Fleckpe, which spreads through Google Play by imitating photo editors, wallpaper packs and other applications. This Trojan, like many others, subscribes unaware users to paid services.
Kaspersky data shows that the newly discovered Trojan has been active since 2022. Kaspersky researchers found that Fleckpe was installed on more than 11 devices through at least 620 different applications. Although the applications were removed from the market when the Kaspersky report was published, it is possible that cybercriminals will continue to distribute this malware through other sources. This means that the actual download count may be higher.
Example of a Trojan infected app on Google Play:
The infected Fleckpe application starts off by placing a highly disguised native library on the device that contains malicious droppers responsible for decrypting and running malicious payloads. This payload contacts the attackers' command and control server and transmits information about the infected device, including country and operator details. Then the paid subscription page is shared with the device. The Trojan is secretly starting a web browser session and trying to subscribe to the paid service on behalf of the user. If a subscription requires a confirmation code, the software also accesses the device's notifications and captures the sent confirmation code. Thus, the Trojan causes users to lose money by subscribing to a paid service against their will. Interestingly, this does not affect the functionality of the app, and users can continue to edit photos or set wallpapers in the background without realizing that they are being charged for a service.
Kaspersky Security Researcher Dmitry Kalinin said:
“Subscription-based Trojans have been gaining popularity among scammers lately. Cybercriminals using them are increasingly turning to official markets like Google Play to spread malware. The growing sophistication of Trojans allows them to successfully circumvent various anti-malware controls enforced by marketplaces and remain undetected for long periods of time. Users affected by these software are not able to find out how they subscribed to the services in question in the first place, and they cannot immediately discover the unwanted subscriptions. All of this makes subscription-based Trojans a reliable source of illegal income in the eyes of cybercriminals.”
Kaspersky experts recommend users to avoid subscription-based malware infection:
“Be careful with apps, including those from legitimate markets like Google Play, and control what permissions you grant to installed apps. Some of these may pose a security risk.
Install antivirus software on your phone that can detect such Trojans, such as Kaspersky Premium.
Do not install apps from third party sources or pirated sites. Keep in mind that attackers are aware of people's fondness for free stuff and will work to exploit this situation in any way possible.
If subscription-based malware is detected on your phone, immediately remove the infected app from your device or disable it if pre-installed.”