Fleckpe Android Malware Installed 620,000 Times

The cybersecurity company Kaspersky recently detected 11 Trojan apps for the malware Fleckpe on the Google Play Store. These apps, disguised as media editors and wallpapers, subscribed unsuspecting users to unwanted paid services and were downloaded over 620,000 times. Although the apps did function as advertised, they also covertly executed a malicious payload which could communicate with the cybercriminal’s command and control server.

According to Kaspersky, this was the result of a new malware called Fleckpe, which joins other unauthorized subscription-generating Android malware like Jocker and Harly. Threat actors profit from these unauthorized subscriptions by taking a percentage of the monthly or one-time subscription fees generated by the premium services. In some cases, the threat actors themselves run the subscription services, allowing them to keep 100% of the revenue.

The malware campaign primarily targets users in Thailand, but Kaspersky's telemetry data indicates that victims in other countries like Poland, Malaysia, Indonesia, and Singapore have also been affected. The offending apps identified by Kaspersky are:

• Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
• Beauty Photo Camera (com.apps.camera.photos)
• Beauty Slimming Photo Editor (com.beauty.slimming.pro)
• Fingertip Graffiti (com.draw.graffiti)
• GIF Camera Editor (com.gif.camera.editor)
• HD 4K Wallpaper (com.hd.h4ks.wallpaper)
• Impressionism Pro Camera (com.impressionism.prozs.app)
• Microclip Video Editor (com.microclip.vodeoeditor)
• Night Mode Camera Pro (com.urox.opixe.nightcamreapro)
• Photo Camera Editor (com.toolbox.photoeditor)
• Photo Effect Editor (com.picture.pictureframe)

If you have one of the above apps currently installed, it’s recommended to uninstall it immediately and check your Google Play subscriptions for any unauthorized payments.

"When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets," Kaspersky researcher Dmitry Kalinin said in the report.

The trojan first contacts the attacker's command and control (C2) server, transmitting device information, such as Mobile Country Code (MCC) and Mobile Network Code (MNC).

The C2 server responds with a website address, which the app opens in an invisible web browser window to subscribe the victim to a premium service. If required, the malware retrieves a confirmation code from the device's notifications and submits it on the hidden screen to complete the subscription. The app's visible features continue to provide promised functionality, concealing its actual malicious purpose and reducing the likelihood of detection.

Recent versions of Fleckpe shift the subscription code from the payload to the native library, leaving the payload as a lightweight program that simply intercepts notifications and covertly views web pages.

Kaspersky stated in its report that “all of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps”.