Security researchers are warning that two new Android trojans have been observed targeting users in Southeast and East Asia. One of them has amassed hundreds of thousands of installs via Google Play.
Dubbed Fleckpe, the first malware family has been active since 2022, being distributed via malicious applications in Google Play, Russian cybersecurity firm Kaspersky reports.
The company identified in the official app store a total of 11 malicious applications, which have been installed more than 620,000 times. The offending apps, which were posing as photo editing utilities, smartphone wallpaper packs, and similar software, have been removed from Google Play.
When executed on an infected device, Fleckpe loads a library containing a dropper that fetches and executes a payload meant to establish a connection to the command-and-control (C&C) server and to send information about the infected device.
The server responds with a paid subscription page that the trojan loads in an invisible browser window. If the subscription process requires a confirmation code, the malware leverages previously requested access to the notification area, retrieves it, and enters it on the page to complete the subscription process.
Most of Fleckpe’s victims appear to be in Thailand, but the malware also infected devices in Indonesia, Malaysia, Poland, and Singapore.
The second newly identified malware, FluHorse, is also distributed via malicious applications. Unlike Fleckpe, however, these apps arrive on victims’ devices via phishing emails, cybersecurity firm Check Point reveals.
The malicious FluHorse apps mimic popular applications that have over 1 million installations in Google Play and which are specifically designed for users in Taiwan (a toll collection app) and Vietnam (a banking application). The malware was also seen mimicking a major transportation application.
The malware was designed to harvest victims’ credentials and two-factor authentication (2FA) codes transmitted via SMS and send them to its operators. Phishing emails containing lures related to paying tolls and directing victims to a fake website were used to distribute the malicious applications.
After the victim installs the malicious application, they are prompted to enter their credentials and then are told to wait for 10 or 15 minutes until the information is verified.
During this time, the threat actors attempt to use the credentials to perform malicious transactions and the malware abuses previously requested permissions to redirect any SMS confirmation codes to the attackers.
According to Check Point, the identified FluHorse victims are diverse and include high-profile entities such as government employees.