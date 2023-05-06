



Researchers have identified a new malware family infecting apps available for download on the official Google Play store and installed on over 620,000 Android devices.

Kaspersky researcher Dmitry Kalinin called it Fleckpe in a May 4 blog post, noting that the Trojan is a subscription-based app that charges for services you don’t purchase. usually goes unnoticed until the victim finds it.

Fleckpe malware has been spreading through Google Play in photo editing apps and smartphone wallpaper packs and has been active since 2022. All 11 infected apps have been removed by the app store, but researchers believe the malware is more prevalent and still active.

At launch, the app loads a highly obfuscated native library containing a malicious dropper that decrypts and executes payloads from app assets. The payload sends the infected device’s country code and mobile carrier to the command and control server.

The command and control server then sends a paid subscription page. The Trojan opens this page in her hidden web browser and attempts to subscribe the user. The malware will get the verification code from the notification if needed. After completing the subscription process, the victims do not use the app’s legitimate features wisely.

Recent versions of the Trojan Fleckpe upgraded the native library by moving most of the subscription code into the native library to make it harder to detect.

Kalinin pointed out that many of the reviews of the infected apps were from Thai reviewers, but Kaspersky telemetry also showed victims in Poland, Malaysia, and Singapore. He also noted that Trojan operators are increasingly using official marketplaces such as Google Play to spread, and advised users to be careful when installing apps.

