A new Android subscription malware known as “Fleckpe” has been downloaded more than 620,000 times from Google Play, the official Android app store. According to Kaspersky, Fleckpe has recently joined the ranks of other infamous Android spyware, including Jocker and Harly, that creates illegal payments by enrolling users in premium services.
Threat actors profit from illicit subscriptions by getting a portion of the monthly or one-time membership payments produced by the premium services. The total income is retained by the threat actors that run the services. According to Kaspersky’s data, the malware may have been operational since last year, but it was just recently identified and reported.
Thailand, Malaysia, Indonesia, Singapore, and Poland are where most Fleckpe sufferers live. However, infections can also be detected elsewhere in the world. On Google Play, 11 Fleckpe trojan apps distributed under the following names were found by Kaspersky to be posing as image editors, photo libraries, premium wallpapers, and more:
- com.draw.graffiti
- com.picture.pictureframe
- com.beauty.slimming.pro
- com.gif.camera.editor
- com.apps.camera.photos
- com.toolbox.photoeditor
- com.hd.h4ks.wallpaper
- com.microclip.vodeoeditor
- com.impressionism.prozs.app
- com.beauty.camera.plus.photoeditor
- com.urox.opixe.nightcamreapro
“All of the apps had been removed from the marketplace by the time our report was published, but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.” clarifies Kaspersky in its report.
Android users who have already installed any of the applications mentioned above are urged to uninstall them right once and conduct an antivirus check to eradicate any leftover harmful malware that could still be present on their device. The malicious program demands access to notification content after installation since it needs this information to get subscription confirmation codes for various premium services.
A secret payload containing malicious code is decoded and then executed when a Fleckpe program is launched. The MCC (Mobile Country Code) and MNC (Mobile Network Code) of the newly infected device, as well as other basic information, are sent by this payload to the threat actor’s command and control (C2) server.
The malware accesses the website URL provided by the C2 in an unnoticed web browser window and registers the victim for a premium service. The malware will grab the confirmation code from the device’s notifications and insert it on the hidden screen if one is required to complete the subscription. The foreground of the app nevertheless gives users the functionality they were promised, concealing their true intent and lowering the possibility of suspicion.
Most of the subscription code from the payload to the native library has been moved in the most recent versions of Fleckpe that Kaspersky has investigated, leaving the payload in charge of intercepting alerts and displaying web pages. The most current payload version has also been enhanced with a layer of obfuscation. These changes, as per Kaspersky, were made to Fleckpe to make it more elusive and difficult to decipher.
Subscription trojans can nonetheless accrue unwanted charges, gather private information about the owner of the infected device, and potentially act as entry points for more harmful payloads while not being as destructive as spyware or data-stealing malware. Android users are recommended to only download apps from reputable sources and developers and pay attention to the required permissions during installation to protect themselves against these risks.
