Although malicious apps normally try to install malware or adware on Android smartphones, a new batch of bad apps has been discovered that's actually signing them up for premium subscription services instead.
According to a new report from the cybersecurity firm Kaspersky, subscription trojans are being added to seemingly harmless Android apps in an attempt to defraud unsuspecting users.
We have seen this before in the past with the infamous Joker and Harly malware, both of which used similar tactics to secretly subscribe users to paid services. This new subscription trojan has been dubbed “Fleckpe” by Kaspersky’s researchers and it's currently being spread through photo editing apps, smartphone wallpaper packs and other utilities for the best Android phones.
According to Kaspersky, this trojan has been active since last year and so far, it has been installed on over 620,000 devices. What makes Fleckpe and other subscription trojans so dangerous is that you might not even realize your smartphone has been infected and that you’ve been subscribed to a paid service without your knowledge.
Delete these apps right now
Fortunately, all of the apps listed below have since been removed from the Google Play Store. However, if you have one installed on your smartphone, you will need to manually delete it. Here are all of the Fleckpe-infected apps that have been discovered so far:
- Beauty Slimming Photo Editor
- Photo Effect Editor
- Gif Camera Editor Pro
- Toolbox Photo Editor
- Beauty Camrea Plus Photo Editor
- Microclip Video Editor
- Camera Photos
- H4KS Wallpaper
- Draw Graffiti
- Night Cam Rea Pro
Note that some of these app names may be incorrect, as we were unable to get a full list from Kaspersky. However, we have reached out to Google and will update this story if we hear back from them regarding these malicious apps.
Secretly signing users up paid subscriptions
Once a user downloads a Fleckpe-infected app onto their smartphone, the trojan loads a heavily obfuscated native library that contains “a malicious dropper that decrypts and runs a payload from the app assets”.
From here, the payload contacts a command and control (C&C) server controlled by the hackers behind this campaign to send over a device’s Mobile Country Code (MCC) and Mobile Network Code (MNC), which are used to identify where the victim lives along with their mobile carrier.
The C&C server sends over a paid subscription page that is opened by the trojan in an invisible web browser. It then tries to sign the user up for a paid subscription which requires a confirmation code. As Fleckpe-infected apps ask for permission to access a user’s notifications, the trojan is able to get this confirmation code and enter it to confirm the subscription.
All of this occurs in the background and for the end user whose device is infected, the apps themselves work as they normally should to avoid giving away the trojan’s presence.
How to stay safe from malicious apps
Subscription trojans have become increasingly popular with scammers as they are comparatively easy to get onto Google Play and other official Android app stores. This is why you always need to be cautious when installing new apps.
Even if an app has a high rating and a lot of downloads, as was the case here, it could still be malicious. This is why you want to avoid installing unnecessary apps onto your devices. Before installing any new app, ask yourself first if you really need it. Paid apps are much less likely to be malicious when compared to free ones, so paying a few dollars here and there can help keep you safe.
To protect your devices further, you should ensure that Google Play Protect is enabled on your smartphone as it continually scans both new and existing apps for malware. At the same time, you may also want to install one of the best Android antivirus apps for additional protection.
Subscription trojans likely aren’t going anywhere anytime soon as they can be quite profitable for scammers since most users fail to discover unwanted subscriptions right away. This is why you should regularly check for subscriptions on the Play Store by tapping your profile icon and heading to the Payments & subscriptions tab. Here you’ll find all of your subscriptions along with any you might have been subscribed to against your will.
