new Trojan secretly signs users up for paid services

Kaspersky researchers recently discovered a new Trojan family called Fleckpe that targets Google Play users. Fleckpe spreads through photo editors and wallpaper apps, among other things, and subscribes the user to certain services without his knowledge. Since being discovered in 2022, Fleckpe has infected more than 620,000 devices around the world.

What is Flecke?

Many malicious apps are uploaded to the Google Play Store from time to time. Some of these malicious apps seem harmless, including the so-called ‘subscription Trojans’, which are very difficult to detect. They often go undetected until the victim is faced with unexpected charges for services they never requested. Two examples have recently been found: the Jocker family and the Harly family.

The Fleckpe Trojan family is a new threat with the malware spreading through Google Play under the guise of photo editors, wallpaper apps and other apps. The infected app appears legitimate on the surface, but actually contains hidden code that allows the fraudsters to send device information, such as country and carrier details, to their server. Based on this information, the server generates a login page. This page is opened in the web browser on the device, after which the user is subscribed to a paid service without knowing anything about it. If a confirmation code is required, the malware extracts that code from the notifications on the device.

In this way, the Trojan debits money through a subscription without the victim noticing. The app itself shows no details and can be used as usual. For example, users can continue to edit photos or set backgrounds without realizing they have been charged for a service.

The Fleckpe Trojan family has infected more than 620,000 devices since 2022. Although the apps have been removed from the market by the time the Kaspersky report was published, cybercriminals may continue to deploy this malware in other apps. This means that the actual number of installations is probably higher.

Related articles

Increasingly popular

“Unfortunately, subscription Trojans have only become more popular with fraudsters lately. The cybercriminals who use them are increasingly turning to official marketplaces such as Google Play to distribute their malware. Due to the increasing complexity of the Trojans, they can successfully bypass many anti-malware checks of the marketplaces and remain undetected for a long time. Affected users often don’t discover the unwanted subscriptions right away, let alone find out how they originated in the first place. All this makes Trojan subscriptions a reliable source of illegal revenue in the eyes of cybercriminals,” explains Dmitry Kalinin, security researcher at Kaspersky.

Kaspersky’s data indicates that the malware mainly targeted users from Thailand, although victims have also been found in Poland, Malaysia, Indonesia and Singapore.

Example of an infected app in the Google Play Store