CONFERENCE NOW LIVE: Threat Detection & Incident Response (TDIR) Summit - Join the Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

The recently identified Fleckpe Android trojan has infected over 600,000 users in Southeast Asia via Google Play.

Security researchers are warning that two new Android trojans have been observed targeting users in Southeast and East Asia. One of them has amassed hundreds of thousands of installs via Google Play.

Dubbed Fleckpe, the first malware family has been active since 2022, being distributed via malicious applications in Google Play, Russian cybersecurity firm Kaspersky reports.

The company identified in the official app store a total of 11 malicious applications, which have been installed more than 620,000 times. The offending apps, which were posing as photo editing utilities, smartphone wallpaper packs, and similar software, have been removed from Google Play.

When executed on an infected device, Fleckpe loads a library containing a dropper that fetches and executes a payload meant to establish a connection to the command-and-control (C&C) server and to send information about the infected device.

The server responds with a paid subscription page that the trojan loads in an invisible browser window. If the subscription process requires a confirmation code, the malware leverages previously requested access to the notification area, retrieves it, and enters it on the page to complete the subscription process.

Most of Fleckpe’s victims appear to be in Thailand, but the malware also infected devices in Indonesia, Malaysia, Poland, and Singapore.

The second newly identified malware, FluHorse, is also distributed via malicious applications. Unlike Fleckpe, however, these apps arrive on victims’ devices via phishing emails, cybersecurity firm Check Point reveals.

The malicious FluHorse apps mimic popular applications that have over 1 million installations in Google Play and which are specifically designed for users in Taiwan (a toll collection app) and Vietnam (a banking application). The malware was also seen mimicking a major transportation application.

Advertisement. Scroll to continue reading.

The malware was designed to harvest victims’ credentials and two-factor authentication (2FA) codes transmitted via SMS and send them to its operators. Phishing emails containing lures related to paying tolls and directing victims to a fake website were used to distribute the malicious applications.

After the victim installs the malicious application, they are prompted to enter their credentials and then are told to wait for 10 or 15 minutes until the information is verified.

During this time, the threat actors attempt to use the credentials to perform malicious transactions and the malware abuses previously requested permissions to redirect any SMS confirmation codes to the attackers.

According to Check Point, the identified FluHorse victims are diverse and include high-profile entities such as government employees.

Related: ‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations

Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications

Related: Godfather Android Banking Trojan Targeting Over 400 Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.