Kaspersky discovers Trojan automatically subscribes users to apps

Researchers of cybersecurity solutions provider Kaspersky have recently uncovered a new Trojan family called Fleckpe that specifically targets users on Google Play. Since its discovery in 2022, Fleckpe has infected over 620,000 devices worldwide.

According to Kaspersky, this subscription Trojan is particularly stealthy as it disguises itself within seemingly harmless photo editors and wallpaper apps, tricking unsuspecting users into subscribing to paid services without their knowledge or consent. 

Based on the company’s telemetry, the malware predominantly targeted users in Thailand, although victims have also been found in Poland, Malaysia, Indonesia, and Singapore.

Kaspersky probes ChatGPT’s ability to fight cyber scam
Kaspersky finds no links between Tomiris and Turla APT groups

Subscription Trojans, such as Fleckpe, are a type of malware that can go undetected until users realize they have been charged for services they never intended to purchase. These malicious applications often infiltrate the official Android app marketplace, including recent examples like the Jocker and Harly families.

Fleckpe operates by disguising as photo editors, wallpaper packs, and other similar apps on Google Play. Although the infected apps had been removed from the marketplace by the time Kaspersky published its report, it is highly likely that cybercriminals will continue to deploy this malware in different apps. The actual number of installations is expected to be higher than reported.


When a device is infected with Fleckpe, the Trojan launches a highly obfuscated native library that contains a malicious dropper responsible for decrypting and executing a payload stored within the app’s assets. This payload establishes a connection with the attackers’ command-and-control server and sends information about the infected device, including country and carrier details. The Trojan then presents a paid subscription page and discreetly opens a web browser to subscribe the user to the paid service without their knowledge. If the subscription requires a confirmation code, the malware accesses the device’s notifications to obtain it.

The most concerning aspect of Fleckpe is that it successfully subscribes users to paid services without their consent, resulting in financial loss for the victims. The app’s regular functionality remains unaffected, allowing users to continue editing photos or setting wallpapers without realizing they have been charged for a service.

Subscription Trojans have gained popularity among fraudsters in recent times. These cybercriminals increasingly exploit official marketplaces like Google Play to spread their malware. The complexity of these Trojans enables them to bypass many anti-malware checks implemented by the marketplaces, allowing them to remain undetected for extended periods. Victims often fail to discover the unwanted subscriptions immediately or understand how they were initiated. This makes subscription Trojans a lucrative source of illegal income for cybercriminals.

To protect yourself from subscription malware like Fleckpe, Kaspersky experts recommend the following precautions:

  • Exercise caution when installing apps, even from legitimate marketplaces like Google Play. Always check the permissions requested by the installed applications, as some of them may pose a security risk.
  • Install a reputable antivirus product capable of detecting these types of Trojans on your phone, such as Kaspersky Premium.
  • Avoid installing apps from third-party sources or using pirated software. Attackers are aware of people’s.
  • In case subscription malware is detected on your phone, immediately remove the infected app from your device, or disable it if it is preinstalled.

2 replies »