![]() This was done to significantly complicate analysis and make the malware difficult to detect with the security tools. The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription. In recent versions, its creators upgraded the native library by moving most of the subscription code there. The victim proceeds to use the app’s legitimate functionality, for example, installs wallpapers or edits photos, unaware of the fact that they are being subscribed to a paid service. Having found the code, the Trojan enters it in the appropriate field and completes the subscription process. If this requires a confirmation code, the malware gets it from notifications (access to which was asked at the first run). The Trojan opens the page in an invisible web browser and attempts to subscribe on the user’s behalf. The C&C server returns a paid subscription page. The payload contacts the threat actors’ C&C server, sending information about the infected device, such as the MCC (Mobile Country Code) and MNC (Mobile Network Code), which can be used to identify the victim’s country and carrier. When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. All of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.Īnd here is a description of Fleckpe’s modus operandi. We have found eleven Fleckpe-infected apps on Google Play, which have been installed on more than 620,000 devices. Our data suggests that the Trojan has been active since 2022. Our latest discovery, which we call “Fleckpe”, also spreads via Google Play as part of photo editing apps, smartphone wallpaper packs and so on. The Jocker family and the recently discovered Harly family are just two examples of this. This kind of malware often finds its way into the official marketplace for Android apps. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first.
0 Comments
Leave a Reply. |