These Android Apps On Google Play Infected Over 620K Devices With Malware, Uninstall ASAP
Security researchers at Kaspersky are ringing the alarm bells on a trojan that's managed to infiltrate Google Play and infect well over half a million Android devices. Dubbed "Fleckpe," the malware strain has been active since last year and has been detected in eleven Android apps (so far). The good news is they've all been removed from Google Play, but there could be more hiding out.
As for the bad news, malicious apps can still do harm to victims even after Google removes them from its repository. If you installed one (or more) of the eleven apps found to be infected with Fleckpe, you'll want to remove them from your phone or tablet straight away.
According to Kaspersky, Fleckpe has infected at least 620,000 Android devices. However, that could turn out to be a conservative audit.
"All of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher," Kaspersky explains.
Similar to how the Joker malware operates, Fleckpe is a trojan that hides in seemingly harmless apps, including wallpaper packs, photo editing software, and so forth. Once an app infected with Fleckpe starts up, it loads a heavily obfuscated native library with a malicious dropper that gets busy decrypting and executing a a payload.
"The payload contacts the threat actors’ C&C server, sending information about the infected device, such as the MCC (Mobile Country Code) and MNC (Mobile Network Code), which can be used to identify the victim’s country and carrier. The C&C server returns a paid subscription page," Kaspersky says.
Source: Kaspersky
Armed with that info, the payload opens a page in an invisible web browser and subscribes the victim to a paid service. Meanwhile, the victim remains unaware as the app continues to function as advertised. The package names of these malicious apps are as follows...
- com.impressionism.prozs.app
- com.picture.pictureframe
- com.beauty.slimming.pro
- com.beauty.camera.plus.photoeditor
- com.microclip.vodeoeditor
- com.gif.camera.editor
- com.apps.camera.photos
- com.toolbox.photoeditor
- com.hd.h4ks.wallpaper
- com.draw.graffiti
- com.urox.opixe.nightcamreapro
The app names on your phone will look similar, such as Beauty Slimming Photo Editor, Photo Effect Editor, and GIF Camera Editor Pro. Uninstall these right away if they're on your phone. Also be on the lookout for unauthorized charges to your phone bill.
Don't let your guard down, either. According to Kaspersky, subscription malware is gaining popularity among scammers, and they are increasingly turning their attention to official marketplaces like Google Play.
"Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place," Kaspersky explains.
These traits combine to make subscription malware a reliable source of illegal income, Kaspersky says.
