Fleckpe – that’s what Kaspersky calls the latest malware found in the Google Play Store. The subscription Trojan was included in 11 apps that together installed on more than 620,000 devices. Meanwhile, Google has removed the malicious apps. However, the IT forensic scientists warn that the malicious actors may have placed other, as yet undiscovered apps, so the actual number of infections could be higher.
Android Trojan: disguised as a photo editor
The Fleckpe malware mainly arrives on the devices disguised as a photo editor. On startup, it loads a heavily obfuscated library containing a malicious dropper. This in turn decodes the actual malicious routines from the app components.
Kaspersky leads in the analysis further states that the malware then contacts the scammers’ Command and Control (C&C) servers. In doing so, it transmits information about the infected device, the Mobile Carrier Code (MCC) and the Mobile Network Code (MNC), which allows the country of origin and the mobile network provider of the victim to be identified. The C&C server then returns a page with paid subscriptions. The Trojan opens this in an invisible browser and attempts to complete subscriptions on behalf of the victim.
If the subscription requires a confirmation, the malware retrieves it from the notifications. When first started, the Trojan app asks the victim for permission. As soon as the malware finds the confirmation code, it enters it in the appropriate field and completes the subscription process. Meanwhile, the victims use the app’s advertised function, such as editing photos or downloading wallpapers, and are unaware of the malware’s fraudulent activities.
The Trojan is constantly evolving. So the programmers would have updated the library with the dropper code so that the code for making subscriptions is also in it. The further decrypted code now only intercepts notifications and displays web pages. It forms the bridge between native code and Android components that are required to complete a subscription. According to Kaspersky’s analysts, this was done to complicate the analysis and to complicate detection with security tools. Unlike the library’s native code, the decrypted code is only slightly obfuscated.
The IT researchers found hard-coded MCC and MNC codes from Thailand in the Trojan, which were apparently used for testing. A larger number of app reviews are written in Thai. Apparently, Thais were particularly in the focus of the malware writers. Kaspersky’s telemetry data also shows victims in Poland, Malaysia, Indonesia and Singapore, among others. The analysis also lists indications of an infection (Indicators of Compromise, IOCs) such as package names, MD5 hashes and addresses of C&C servers.
IT researchers recently analyzed an Android banking Trojan that was able to attack more than 400 financial institutions and withdraw money from them.
(dmk)
