Now-Removed Apps Have 620K Downloads, Targeting Victims in Thailand
Researchers found Android malware masquerading as a legitimate application available and downloaded over 620,000 times from the Google Play store. The apps have been active since 2022, posing as legitimate photo-editing apps, camera editors and smartphone wallpaper packs.
Researchers found 11 legitimate applications infected with the malware, dubbed Fleckpe by Kaspersky, which have been since taken down.
Upon download, the app loads a complicated native library through a malicious dropper. The dropper executes a payload from the app asset, which sends the infected device’s mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.
“The subscription Trojans go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps,” according to Dmitry Kalinin of Kaspersky.
The Trojan targeted Thai-speaking users. The majority of the reviewers for the infected apps were from Thailand.
Kaspersky’s telemetry also identified victims from Poland, Malaysia, Indonesia and Singapore.
This is not the first time threat actors have used the Google Play store to spread malware. Operators of the banking Trojan SharkBot previously have used Google Play store. Cybersecurity firm Fox-IT uncovered that they were distributing the malware on now-deactivated applications that already have tens of thousands of installations (see: SharkBot Trojan Spread Via Android File Manager Apps).
Another banking Trojan found mimicked the appearance of more than 400 applications, including leading financial and crypto exchange applications, in 16 countries. Research from security intelligence firm Group-IB said the Trojan, dubbed Godfather, reappeared with slightly modified WebSocket functionality after a three-month pause in circulation (see: Godfather Android Banking Trojan Steals Through Mimicry).
How Fleckpe Works
In the latest version, the payload intercepts notifications and “views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription.”
Kaspersky researchers said this update was done to complicate analysis and make the malware difficult to detect with the security tools.
“Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time,” Kalinin said.