Subscription Trojan Downloaded 600K Times From Google Play

Security researchers have discovered a new malware trojan installed on more than 620,000 devices, after being hidden in 11 Android apps listed on Google Play.

Dubbed “Fleckpe” by Kaspersky, the malware is similar to the Jocker and Harly strains and has been active since 2022.

It is designed to covertly subscribe the victim to premium services, generating revenue for its operator while the user is unaware.

More on mobile Trojan malware: Researchers discover nearly 200,000 new installers of mobile banking Trojans.

Fleckpe was hidden in a handful of photo-editing apps, smartphone wallpaper packs and other titles, though the malicious campaign may be even more extensive than previously discovered. now, Kaspersky warned.

When the application starts, it loads a heavily obfuscated native library that contains a malicious dropper that decrypts and executes a payload from the application’s assets. This payload contacts the malicious actor’s Command and Control (C2) server, sending device information and receiving a paid subscription page in return.

The Trojan then opens an invisible web browser and attempts to subscribe on the user’s behalf, extracting a confirmation code if necessary from notifications.

Meanwhile, the victim can use the app’s legitimate-looking functionality, unaware that they have subscribed to a paid service that costs them money.

“The Trojan continues to evolve. In recent versions, its creators updated the native library by moving most of the subscription code there. The payload now only intercepts notifications and displays web pages, acting as a bridge between the native code and the Android components required to purchase a subscription,” Kaspersky explained.

“This was done to significantly complicate analysis and make malware difficult to detect with security tools. Unlike the native library, the payload has virtually no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.

Subscription trojans like this are an increasingly popular way for threat actors to make money, and unfortunately, they often end up in the official Play Store.

“The increasing complexity of Trojans has allowed them to successfully evade many anti-malware checks implemented by the markets, going undetected for long periods of time,” Kaspersky warned. “Affected users often fail to discover unwanted subscriptions immediately, let alone discover how they happened in the first place.”

Editorial Image Credit: I AM NIKOM /

Source link
A recent cyber-security study has shown that a maliciously cloaked subscription Trojan has been downloaded over 600,000 times from Google Play and could have been installed on around 100,000 devices, before it was eventually brought to light. This Trojan, known as XinInput, is capable of silently activating and subscribing users to premium online services without their knowledge.

The good news is that steps have been taken by Google Play Security Team to swiftly block the device’s ability to download and install the malicious nature of the app and information has been released warning users not to open the app.

Here at Ikaroa Technologies, we believe this is a wake-up call; the lesson being that we should never fully trust any source, no matter how trusted a name is behind it. We recommend that all users take proactive steps to ensure their safety and security. This includes downloading from well-known and reliable subscription services, being careful with downloads from unknown third-party stores, and installing an effective anti-virus program.

Ikaroa’s security solutions for both businesses and individuals provide the safety of knowing that your data and identities are always protected, no matter what the threat surface may be. Ikaroa cloud security solutions helps to protect against potential online threats and can help reduce the risk in the case of a potential breach.

In the digital age, it’s more important than ever to stay safe and prevent yourself from becoming the victim of a cyber-attack. So be sure to stay vigilant and always make sure that the apps you download come from reliable sources.


Leave a Reply

Your email address will not be published. Required fields are marked *