Table of Contents
  • Home
  • /
  • Blog
  • /
  • Fleckpe- Android Subscription Trojans on Google’s Play Store
May 17, 2023

Fleckpe- Android Subscription Trojans on Google’s Play Store

Fleckpe Android Subscription Trojans On Googles Play Store

Google play store is the trusted place for Android users to download and install mobile apps safely, but what if the trusted source itself is spreading malicious applications? Every once in a while, we can find such kinds of malware lurking as harmless apps. The most popular service is the subscription trojans which steal money without user intervention. 

In this article, we will discuss what Fleckpe (Android Subscription Trojans) is and how Fleckpe affects Android users.

What is Fleckpe and How Does It Affect Android Users?

Kaspersky has reported the discovery of a new Android malware called Fleckpe on the Google Play store. The malware disguises itself as legitimate apps and has been downloaded over 620,000 times. Fleckpe falls under the category of subscription malware that charges users for premium services without their consent.

It was observed that this malware has been active since 2022; a total of 11 trojan-infected apps were found and were successfully taken down by Google from the play store. However, we are not sure how many more of these malicious apps are still out in the wild, so the real number of installations can be higher.

The apps were distributed as image editors, premium wallpaper, etc. Below are the 11 apps.


  • com.picture.picture frame


  • editor

  • com.microclip.vodeoeditor



  • editor

  • com.hd.h4ks.wallpaper

  • com.draw.graffiti

  • com.urox.opixe.nightcamreapro

Trojan App on play store (Kaspersky)

Trojan App on play store (Kaspersky)

Fleckpe – Technical Analysis

Upon launching the application, a complexly obscured native library is loaded, which contains a malevolent dropper that decrypts and executes a payload extracted from the applications assets.

Upon execution, the payload establishes communication with the command-and-control (C&C) server belonging to the threat actors. The server receives various information about the compromised device, including its Mobile Country Code (MCC) and Mobile Network Code (MNC), which can be utilized to determine the users carrier and country of origin. In response, the C&C server provides a subscription page that requires payment. The Trojan then invisibly opens the page in a web browser and tries to subscribe on the users behalf. If the process demands a verification code, the malware retrieves it from the devices notifications, to which it had obtained access during the initial launch.

After discovering the verification code, the Trojan inserts it into the corresponding field and finalizes the subscription procedure. The user, who remains oblivious to the fact, continues to utilize the applications genuine features, such as editing photos or installing wallpapers. However, in reality, they are unknowingly enrolled in a paid service.

Entering confirmation code (Kaspersky)

The creators of the Trojan have made changes to make it harder to detect by security tools. They moved most of the subscription code to the native library and made the payload intercept notifications and view web pages, acting as a bridge between the native code and the Android components for subscription purchases. This makes the malware more complex to analyze. The payload doesnt have much evasion capability, but the latest version has some code obfuscation.

MITRE ATT&CK Enterprise Identifiers

  • T1005 (Data from Local System)

  • T1027 (Obfuscated Files or Information)

  • T1041 (Exfiltration Over C2 Channel)

  • T1082 (System Information Discovery)

  • T1105 (Ingress Tool Transfer)

  • T1140 (Deobfuscate/Decode Files or Information)

  • T1204.002 (Malicious File)

  • T1444 (Masquerade as Legitimate Application)

  • T1476 (Deliver Malicious App via Other Means)

  • T1517 (Access Notifications)

  • T1575 (Native API)



  • F671A685FC47B83488871AE41A52BF4C

  • 5CE7D0A72B1BD805C79C5FE3A48E66C2

  • D39B472B0974DF19E5EFBDA4C629E4D5

  • 175C59C0F9FAB032DDE32C7D5BEEDE11

  • 101500CD421566690744558AF3F0B8CC

  • 7F391B24D83CEE69672618105F8167E1

  • F3ECF39BB0296AC37C7F35EE4C6EDDBC

  • E92FF47D733E2E964106EDC06F6B758A

  • B66D77370F522C6D640C54DA2D11735E

  • 3D0A18503C4EF830E2D3FBE43ECBE811

  • 1879C233599E7F2634EF8D5041001D40

  • C5DD2EA5B1A292129D4ECFBEB09343C4

  • DD16BD0CB8F30B2F6DAAC91AF4D350BE

  • 2B6B1F7B220C69D37A413B0C448AA56A

  • AA1CEC619BF65972D220904130AED3D9

  • 0BEEC878FF2645778472B97C1F8B4113

  • 40C451061507D996C0AB8A233BD99FF8

  • 37162C08587F5C3009AFCEEC3EFA43EB

  • BDBBF20B3866C781F7F9D4F1C2B5F2D3

  • 063093EB8F8748C126A6AD3E31C9E6FE

  • 8095C11E404A3E701E13A6220D0623B9

  • ECDC4606901ABD9BB0B160197EFE39B7


  • hxxp://ac.iprocam[.]xyz

  • hxxp://ad.iprocam[.]xyz

  • hxxp://ap.iprocam[.]xyz

  • hxxp://b7.photoeffect[.]xyz

  • hxxp://ba3.photoeffect[.]xyz

  • hxxp://f0.photoeffect[.]xyz

  • hxxp://m11.slimedit[.]live

  • hxxp://m12.slimedit[.]live

  • hxxp://m13.slimedit[.]live

  • hxxp://ba.beautycam[.]xyz

  • hxxp://f6.beautycam[.]xyz

  • hxxp://f8a.beautycam[.]xyz

  • hxxp://ae.mveditor[.]xyz

  • hxxp://b8c.mveditor[.]xyz

  • hxxp://d3.mveditor[.]xyz

  • hxxp://fa.gifcam[.]xyz

  • hxxp://fb.gifcam[.]xyz

  • hxxp://fl.gifcam[.]xyz

  • hxxp://a.hdmodecam[.]live

  • hxxp://b.hdmodecam[.]live

  • hxxp://l.hdmodecam[.]live

  • hxxp://vd.toobox[.]online

  • hxxp://ve.toobox[.]online

  • hxxp://vt.toobox[.]online

  • hxxp://54.245.21[.]104

  • hxxp://t1.twmills[.]xyz

  • hxxp://t2.twmills[.]xyz

  • hxxp://t3.twmills[.]xyz

  • hxxp://api.odskguo[.]xyz

  • hxxp://gbcf.odskguo[.]xyz

  • hxxp://track.odskguo[.]xyz


The Trojan contained Thai MCC and MNC values hardcoded for testing, and Thai-speaking users were the dominant reviewers of the infected apps on Google Play. Despite this, victims of the malware were also found in other countries such as Poland, Malaysia, Indonesia, and Singapore.

The Trojan is evolving in such a way the user is not aware of all the malicious background activity and continues to use the legitimate features available in the app. To prevent financial loss due to malware infection, its advisable to exercise caution with apps, even if they are from Google Play. Avoid granting unnecessary permissions and install an antivirus program that can detect this type of Trojan.

I hope this article helped in learning what is Fleckpe (Android Subscription Trojans) and how Fleckpe affects Android users. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

Aroma Rose Reji

Aroma is a cybersecurity professional with more than four years of experience in the industry. She has a strong background in detecting and defending cyber-attacks and possesses multiple global certifications like eCTHPv2, CEH, and CTIA. She is a pet lover and, in her free time, enjoys spending time with her cat, cooking, and traveling. You can connect with her on LinkedIn.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription