Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

The recently identified Fleckpe Android trojan has infected over 600,000 users in Southeast Asia via Google Play.

Security researchers are warning that two new Android trojans have been observed targeting users in Southeast and East Asia. One of them has amassed hundreds of thousands of installs via Google Play.

Dubbed Fleckpe, the first malware family has been active since 2022, being distributed via malicious applications in Google Play, Russian cybersecurity firm Kaspersky reports.

The company identified in the official app store a total of 11 malicious applications, which have been installed more than 620,000 times. The offending apps, which were posing as photo editing utilities, smartphone wallpaper packs, and similar software, have been removed from Google Play.

When executed on an infected device, Fleckpe loads a library containing a dropper that fetches and executes a payload meant to establish a connection to the command-and-control (C&C) server and to send information about the infected device.

The server responds with a paid subscription page that the trojan loads in an invisible browser window. If the subscription process requires a confirmation code, the malware leverages previously requested access to the notification area, retrieves it, and enters it on the page to complete the subscription process.

Most of Fleckpe’s victims appear to be in Thailand, but the malware also infected devices in Indonesia, Malaysia, Poland, and Singapore.

The second newly identified malware, FluHorse, is also distributed via malicious applications. Unlike Fleckpe, however, these apps arrive on victims’ devices via phishing emails, cybersecurity firm Check Point reveals.

Advertisement. Scroll to continue reading.

The malicious FluHorse apps mimic popular applications that have over 1 million installations in Google Play and which are specifically designed for users in Taiwan (a toll collection app) and Vietnam (a banking application). The malware was also seen mimicking a major transportation application.

The malware was designed to harvest victims’ credentials and two-factor authentication (2FA) codes transmitted via SMS and send them to its operators. Phishing emails containing lures related to paying tolls and directing victims to a fake website were used to distribute the malicious applications.

After the victim installs the malicious application, they are prompted to enter their credentials and then are told to wait for 10 or 15 minutes until the information is verified.

During this time, the threat actors attempt to use the credentials to perform malicious transactions and the malware abuses previously requested permissions to redirect any SMS confirmation codes to the attackers.

According to Check Point, the identified FluHorse victims are diverse and include high-profile entities such as government employees.

Related: ‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations

Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications

Related: Godfather Android Banking Trojan Targeting Over 400 Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...