Security

Android Trojan signs you up for paid subscriptions

Brendyn Lotz

18th May 2023

Fleckpe is a Trojan that signs users up for subscriptions without their knowledge.
The Trojan was reportedly discovered on 620 000 devices.
Kaspersky notes victims from countries including Poland, Thailand, Malaysia, Indonesia, and Singapore.

Researchers at Kaspersky have discovered a new Trojan family that was spreading via the Google Play Store.

The researchers have dubbed the Trojan, Fleckpe and it reportedly spreads via photo editors and wallpaper apps. What makes the malware alarming is that it signs users up for paid subscription services without their knowledge or permission.

The cybersecurity firm says that according to its data, Fleckpe has been active since last year and has been installed on more than 620 000 devices. Kaspersky further notes that while the offending apps containing the Trojan have been removed from the Google Play Store, the potential exists for it to appear again in future.

“Subscription Trojans have only grown in popularity with fraudsters lately. The cybercriminals using them have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they got subscribed to something in the first place. All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals,” writes security researcher at Kaspersky, Dmitry Kalinin.

Once download Fleckpe loads an obfuscated native library that contains a malicious dropper that decrypts and runs a payload from the app’s assets. This is likely how the Trojan circumvented Google’s protections.

The payload that is run contacts a command and control (C & C) server which identifies the user’s country and mobile network. The C&C server returns a paid subscription page which the Trojan opens without the user knowing. Should a confirmation code be required, the Trojan fetches this from notifications and just like that the user has a new subscription they never asked for.

Kaspersky adds that newer iterations of Fleckpe suggest the payload now only intercepts notifications and views web pages which makes it harder to detect.

“To avoid malware infection and subsequent financial loss, we recommend to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of Trojans,” adds Kalinin.

While analysis shows victims in Poland, Thailand, Malaysia, Indonesia, and Singapore, the potential exists for more regions to be targeted.

Be safe out their folks and keep your app installations to those from reputable vendors.

[Image – Kaspersky]

About Author

Brendyn Lotz

Brendyn Lotz writes news, reviews, and opinion pieces for Hypertext. His interests include SMEs, innovation on the African continent, cybersecurity, blockchain, games, geek culture and YouTube.