Security researchers have discovered new Trojan malware installed on over 620,000 devices after being hidden in 11 Android apps listed on Google Play.
Named ‘Fleckpe’ by Kaspersky, the malware resembles the Jocker and Harly strains and has been active since 2022.
It is designed to covertly subscribe victims to premium services, generating revenue for operators without the user ever knowing.
Mobile Trojan Malware Details: Researchers Discover Nearly 200,000 New Mobile Banking Trojan Installers.
Fleckpe was hidden in a handful of photo-editing apps, smartphone wallpaper packs, and other titles, but the malicious campaign may be even more widespread than what has been discovered so far. Kaspersky warns.
When the app starts, it loads a highly obfuscated native library containing a malicious dropper that decrypts and executes payloads from app assets. This payload connects to the malicious actor’s command and control (C2) server, sends device information back, and receives a paid subscription page in return.
The Trojan then opens an invisible web browser and attempts to subscribe on the user’s behalf, retrieving a verification code from the notification if necessary.
All the while, victims can use the app’s legitimate-looking features without realizing they are subscribing to a paid service.
“The Trojan continues to evolve. In recent versions, the author upgraded the native library by moving most of the subscription code into it. It just displays the , acting as a bridge between the native code and the Android components needed to purchase a subscription,” Kaspersky explained.
“This was done to greatly complicate analysis and make it difficult for security tools to detect the malware. Added code obfuscation to the latest version.”
Such subscription Trojans are becoming an increasingly popular way for attackers to make money, and unfortunately they often end up in the official Play Store.
As Kaspersky warns, “Trojan horses are becoming more complex, successfully bypassing many anti-malware checks implemented in the market and remaining undetected for long periods of time.” increase. “Affected users are often unable to immediately spot unwanted subscriptions, much less know how they originated in the first place.”
Editorial image credit: I AM NIKOM / Shutterstock.com
