Over 600,000 Android users infected with malware on Google Play — delete these apps now

Green skull on smartphone screen.
(Image credit: Shutterstock)

Although malicious apps normally try to install malware or adware on your smartphone, a new batch of bad apps has been discovered that's actually signing users up for premium subscription services instead.

According to a new report from the cybersecurity firm Kaspersky, subscription trojans are being added to seemingly harmless Android apps in an attempt to defraud unsuspecting users.

We've seen this before with the infamous Joker and Harly malware, both of which used similar tactics to secretly subscribe users to paid services. This new subscription trojan has been dubbed “Fleckpe” by Kaspersky’s researchers and it's currently being spread through photo editing apps, smartphone wallpaper packs and other utilities for the best Android phones.

According to Kaspersky, this subscription trojan has been active since last year and so far, it has been installed on over 620,000 devices. What makes Fleckpe and other subscription trojans so dangerous though is that you might not even realize your smartphone has been infected and that you’ve been subscribed to a paid service without your knowledge. 

Delete these apps right now

Fortunately, all of the apps listed below have since been removed from the Google Play Store. However, if you have one of them installed on your smartphone, you will need to manually delete it. Here are all of the Fleckpe-infected apps that have been discovered so far:

  • Beauty Camera Plus
  • Beauty Photo Camera 
  • Beauty Slimming Photo Editor
  • Fingertip Graffiti 
  • GIF Camera Editor 
  • HD 4K Wallpaper
  • Impressionism Pro Camera
  • Microclip Video Editor 
  • Night Mode Camera Pro
  • Photo Camera Editor
  • Photo Effect Editor

Keep in mind though that there could be other apps infected with the Fleckpe subscription trojan out there. We'll update this story if more are discovered but in the meantime, you want to make sure that none of the apps above are installed on your smartphone.

Secretly signing users up paid subscriptions

Once a user downloads a Fleckpe-infected app onto their smartphone, the trojan loads a heavily obfuscated native library that contains “a malicious dropper that decrypts and runs a payload from the app assets”.

From here, the payload contacts a command and control (C&C) server controlled by the hackers behind this campaign to send over a device’s Mobile Country Code (MCC) and Mobile Network Code (MNC), which are used to identify where the victim lives along with their mobile carrier.

The C&C server sends over a paid subscription page that is opened by the trojan in an invisible web browser. It then tries to sign the user up for a paid subscription which requires a confirmation code. As Fleckpe-infected apps ask for permission to access a user’s notifications, the trojan is able to get this confirmation code and enter it to confirm the subscription.

All of this occurs in the background and for the end user whose device is infected, the apps themselves work as they normally should to avoid giving away the trojan’s presence.

How to stay safe from malicious apps

A hand holding a phone securely logging in

(Image credit: Google)

Subscription trojans have become increasingly popular with scammers as they are comparatively easy to get onto Google Play and other official Android app stores. This is why you always need to be cautious when installing new apps.

Even if an app has a high rating and a lot of downloads, as was the case here, it could still be malicious. This is why you want to avoid installing unnecessary apps onto your devices. Before installing any new app, ask yourself first if you really need it. Paid apps are much less likely to be malicious when compared to free ones, so paying a few dollars here and there can help keep you safe.

To protect your devices further, you should ensure that Google Play Protect is enabled on your smartphone as it continually scans both new and existing apps for malware. At the same time, you may also want to install one of the best Android antivirus apps for additional protection.

In a statement to Tom's Guide, a Google spokesperson provided further details on how the search giant handles malicious apps like the ones detailed above, saying:

 "When we find apps that violate our policies, we take appropriate action. Users are also protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices.”

Subscription trojans likely aren’t going anywhere anytime soon though as they can be quite profitable for scammers since most users fail to discover unwanted subscriptions right away. This is why you should regularly check for subscriptions on the Play Store by tapping your profile icon and heading to the Payments & subscriptions tab. Here you’ll find all of your subscriptions along with any you might have been subscribed to against your will.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • Patterner
    it still boggles my mind that there is no App that just checks all installed apps and reports those that are not in the Play store anymore.
  • anscarlett
    You should include all the apps and services that offer a free trial, but require you to set up a paid account first and automatically start charging.

    App stores should identify ALL costs with a simple set of icons that highlight them, and allow the user to filter them permanently.

    App stores should also allow personal labelling and filtering. Currently I have to abuse the rating system to give myself a clue as to if I previously tried an app and uninstalled it, by adding notes about my experience