Researchers found Android malware masquerading as a legitimate application available and downloaded over 620,000 times from the Google Play store. The apps have been active since 2022, posing as legitimate photo-editing apps, camera editors and smartphone wallpaper packs.

Researchers found 11 legitimate applications infected with the malware, dubbed Fleckpe by Kaspersky, which have been since taken down.

Upon download, the app loads a complicated native library through a malicious dropper. The dropper executes a payload from the app asset, which sends the infected device’s mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.