Subscription Trojan Downloaded 600K Times From Google Play

Written by

Security researchers have discovered a new piece of Trojan malware installed on more than 620,000 devices, after being hidden in 11 Android apps listed on Google Play.

Dubbed “Fleckpe” by Kaspersky, the malware is similar to the Jocker and Harly strains and has been active since 2022.

It is designed to covertly subscribe the victim to premium services, generating revenue for its operator while the user is completely unaware.

Read more on mobile Trojan malware: Researchers Discover Nearly 200,000 New Mobile Banking Trojan Installers.

Fleckpe was hidden in a handful of photo editing apps, smartphone wallpaper packs and other titles, although the malicious campaign may be even more extensive than that so far discovered, Kaspersky warned.

When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. This payload contacts the malicious actor’s command and control (C2) server, sending device information back and receiving a paid subscription page in return.

The Trojan then opens an invisible web browser and tries to subscribe on the user’s behalf, pulling a confirmation code if required from notifications.

All the while, the victim is able to use the app’s legitimate-looking functionality, unaware they’ve been subscribed to a paid service costing them money.

“The Trojan keeps evolving. In recent versions, its creators upgraded the native library by moving most of the subscription code there. The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription,” Kaspersky explained.

“This was done to significantly complicate analysis and make the malware difficult to detect with the security tools. Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.”

Subscription Trojans like this are an increasingly popular way for threat actors to make money, and unfortunately they often end up on the official Play store.

“The growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time,” Kaspersky warned. “Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place.”

Editorial image credit: I AM NIKOM /

What’s hot on Infosecurity Magazine?