A new Android subscription malware named Fleckpe has been unearthed on the Google Play Store, amassing more than 620,000 downloads in total since 2022.
Kaspersky, which identified 11 apps on the official app storefront, said the malware masqueraded as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down.
The operation primarily targeted users from Thailand, although telemetry data gathered by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore.
The apps offer the promised functionality to avoid raising red flags, but conceal their real purpose under the hood. The list of the offending apps is as follows –
- Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
- Beauty Photo Camera (com.apps.camera.photos)
- Beauty Slimming Photo Editor (com.beauty.slimming.pro)
- Fingertip Graffiti (com.draw.graffiti)
- GIF Camera Editor (com.gif.camera.editor)
- HD 4K Wallpaper (com.hd.h4ks.wallpaper)
- Impressionism Pro Camera (com.impressionism.prozs.app)
- Microclip Video Editor (com.microclip.vodeoeditor)
- Night Mode Camera Pro (com.urox.opixe.nightcamreapro)
- Photo Camera Editor (com.toolbox.photoeditor)
- Photo Effect Editor (com.picture.pictureframe)
“When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets,” Kaspersky researcher Dmitry Kalinin said.
The payload, for its part, is designed to contact a remote server and transmit information about the compromised device (e.g., Mobile Country Code and Mobile Network Code), following which the server responds back with a paid subscription page.
The malware subsequently opens the page in an invisible web browser window and attempts to subscribe on the user’s behalf by abusing its permissions to access notifications and obtain the confirmation code required to complete the step.
In a sign that Fleckpe is being actively developed, recent versions of the malware have moved most of the malicious functionality to the native library in a bid to evade detection by security tools.
“The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription,” Kalinin noted.
“Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.”
This is not the first time subscription malware has been found on the Google Play Store. Fleckpe joins other fleeceware families like Joker (aka Bread or Jocker) and Harly, which subscribe infected devices to unwanted premium services and conduct billing fraud.
While such apps are not as dangerous as spyware or financial trojans, they can still incur unauthorized charges and be repurposed by its operators to harvest a wide range of sensitive information and serve as entry points for more nefarious malware.
If anything, the findings are yet another indication that threat actors are continuing to discover new ways to sneak their apps onto official app marketplaces to scale their campaigns, requiring that users exercise caution when downloading apps and granting permissions to them.
“Growing complexity of the trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time,” Kalinin said.