Warning: New Android malware has infected many devices in Asia

Security researchers are warning that two new Android Trojans have been discovered targeting users in Southeast Asia and East Asia, one of which has already amassed hundreds of thousands of installs via the Google Play app store.

Illustration photo.

According to a report by the famous Russian cybersecurity company Kaspersky, this Trojan, called Fleckpe, first appeared in 2022, distributed through malicious applications in the Google Play app store.

Kaspersky has identified a total of 11 malicious apps in the official Google Play app store, which have been installed more than 620,000 times. Malicious apps such as photo editing utilities, smartphone wallpaper packs and similar software have been removed from the Google Play app store.

Once active on an infected device, the Fleckpe malware downloads a library containing a virus program that aims to establish a connection to a command and control (C&C) server and send information about the infected device.

The server responds with a paid registration page that the Trojan loads in an invisible browser window. If the registration process requires a confirmation code, the malware takes advantage of the previously requested access to the notification area, retrieves that code, and enters it into the page to complete the registration process.

Most of the victims of the Fleckpe malware were identified in Thailand, but the malware also infected users' devices in Indonesia, Malaysia, Poland, and Singapore.

The second newly identified malware, called FluHorse, is also distributed via malicious apps. However, unlike Fleckpe, these apps get onto victims’ devices via phishing emails, Israeli cybersecurity firm Check Point revealed.

The FluHorse malware mimics popular apps with over 1 million installs on the Google Play app store and is designed specifically for users in Taiwan (paywalled apps) and Vietnam (banking apps).

The malware was designed to collect victims’ login credentials and two-factor authentication (2FA) codes transmitted via SMS and send them to operators. The phishing emails contained lures related to paying tolls and directed victims to a fake website that was used to distribute the malicious apps.

Once the victim installs the malicious app, they are prompted to enter their login credentials and then asked to wait 10 or 15 minutes until the information is verified.

During this time, threat actors attempt to use the credentials to perform malicious transactions, and the malware abuses previously requested permissions to redirect any SMS confirmation codes to the attackers.

According to cybersecurity company Check Point, the victims of the FluHorse malware have been identified as diverse and include prominent figures such as government officials./.