Kaspersky Labs has revealed that new malware called Fleckpe was found in the Google Play Store in 11 different apps. The subscription Trojan was disguised as a photo editor and installed on more than 620,000 devices. Although Google has removed the malicious apps, forensic investigators have warned that other undiscovered apps may contain the same Fleckpe malware. When the malware is started, it loads a library containing a malicious dropper, which contacts the scammer’s command and control servers. These servers then return a page with paid subscriptions, which the malware opens invisibly and attempts to complete on behalf of the victim.
When first started, the Trojan app asks for permission, and once it finds the confirmation code, it enters it in the appropriate field and completes the subscription process. The victims are unaware of the malware’s fraudulent activities, as they use the app’s advertised functions. The malware is constantly evolving, and the programmers would have updated the library with the dropper code so that the code for making subscriptions is also included. The malware is coded to complicate detection with security tools, making it harder to analyze.
Kaspersky’s researchers found hard-coded MCC and MNC codes from Thailand in the Trojan, along with a larger number of app reviews written in Thai. This indicates that Thais were particularly targeted by the malware writers. Other victims were found in Poland, Malaysia, Indonesia, and Singapore. The analysis also lists indications of an infection, such as package names, MD5 hashes and addresses of C&C servers. Recently, IT researchers have also analyzed an Android banking Trojan that has the ability to attack more than 400 financial institutions and withdraw money from them.