Fleckpe Mobile Malware
A new Android subscription-based malware, named Fleckpe, has been discovered on Google Play, the official Android app store. The malware is camouflaged as several legitimate applications and has so far managed to amass over 600 000 downloads. Fleckpe is one of many Android malware threats that fraudulently subscribe users to premium services and generate unauthorized charges. Threat actors behind such malware make money by receiving a portion of the monthly or one-time subscription fees generated through the premium services.
If the threat actors themselves operate the services, they are likely to keep the entire revenue. Fleckpe's discovery is the latest example of cybercriminals exploiting the trust and popularity of reputable application stores to distribute threatening software.
Table of Contents
Fleckpe Spreads Through Trojanized Applications on the Google Play Store
Although the Fleckpe Trojan has been active for over a year, it was only recently uncovered and documented. The majority of Fleckpe's victims reside in Thailand, Malaysia, Indonesia, Singapore, and Poland, with a smaller number of infections found worldwide.
So far, 11 different applications carrying the Fleckpe malware have been discovered and removed from the Google Play store. These applications were disguised as image editors, photo libraries, premium wallpapers, and other seemingly legitimate programs. The names of the threatening applications are com.impressionism. pros.app, com.beauty.camera.plus.photo editor, com.beauty.slimming.pro, com.picture.picture frame, com. microchip.vodeoeditor, com.gif.camera.editor, com.apps.camera.photos, com.toolbox.photoeditor, com.hd.h4ks.wallpaper, com.draw.graffiti and com.urox.opixe.nightcamreapro.
Although all of these applications have been removed from the marketplace, it's possible that the attackers may create other applications, so the number of installations could be higher than what is currently known.
The Fleckpe Malware Makes Unauthorized Subscriptions to Expensive Services
When a user installs a Fleckpe app, the application requests access to notification content. This access is required to capture subscription confirmation codes on many premium services. Once the application is launched, it decodes a hidden payload that contains bad code. Upon being executed, it tries to contact the threat actor's Command-and-Control (C2) server to send basic information about the infected device. The transmitted data includes the Mobile Country Code (MCC) and Mobile Network Code (MNC).
In response, the C2 server provides a website address that the Trojan opens in an invisible web browser window. The malware subscribes the victim to a premium service without their knowledge or consent. If a confirmation code is required, the Fleckpe retrieves it from the device's notifications and submits it on the hidden screen to complete the subscription process.
Despite their nefarious purpose, the Fleckpe applications still provide their advertised functionality to the victim. This helps to conceal their true intentions and reduces the likelihood of raising suspicion.
Cybercriminals Continue to Update the Fleckpe Android Malware
The most recent versions of the Fleckpe Mobile malware have undergone some changes. The developers have moved a significant part of the code carrying out the unauthorized subscriptions from the payload to the native library. The payload now focuses on intercepting notifications and displaying web pages.
Moreover, the latest version of the payload includes a layer of obfuscation. Researchers believe that these modifications were made to make Fleckpe more difficult to analyze and increase its evasiveness.
While it may not be considered to be as dangerous as spyware or data-stealing malware, subscription Trojans can still cause significant harm. They can result in unauthorized charges, collect sensitive information about the user, and act as entry points for the deployment of more potent payloads.
