Google play store is the trusted place for Android users to download and install mobile apps safely, but what if the trusted source itself is spreading malicious applications? Every once in a while, we can find such kinds of malware lurking as harmless apps. The most popular service is the subscription trojans which steal money without user intervention.
In this article, we will discuss what Fleckpe (Android Subscription Trojans) is and how Fleckpe affects Android users.
Table of Contents
What is Fleckpe and How Does It Affect Android Users?
Kaspersky has reported the discovery of a new Android malware called ‘Fleckpe’ on the Google Play store. The malware disguises itself as legitimate apps and has been downloaded over 620,000 times. Fleckpe falls under the category of subscription malware that charges users for premium services without their consent.
It was observed that this malware has been active since 2022; a total of 11 trojan-infected apps were found and were successfully taken down by Google from the play store. However, we are not sure how many more of these malicious apps are still out in the wild, so the real number of installations can be higher.
The apps were distributed as image editors, premium wallpaper, etc. Below are the 11 apps.
- com.impressionism.prozs.app
- com.picture.picture frame
- com.beauty.slimming.pro
- com.beauty.camera.plus.photo editor
- com.microclip.vodeoeditor
- com.gif.camera.editor
- com.apps.camera.photos
- com.toolbox.photo editor
- com.hd.h4ks.wallpaper
- com.draw.graffiti
- com.urox.opixe.nightcamreapro
Trojan App on play store (Kaspersky)
Trojan App on play store (Kaspersky)
Fleckpe – Technical Analysis
Upon launching the application, a complexly obscured native library is loaded, which contains a malevolent dropper that decrypts and executes a payload extracted from the application’s assets.
Upon execution, the payload establishes communication with the command-and-control (C&C) server belonging to the threat actors. The server receives various information about the compromised device, including its Mobile Country Code (MCC) and Mobile Network Code (MNC), which can be utilized to determine the user’s carrier and country of origin. In response, the C&C server provides a subscription page that requires payment. The Trojan then invisibly opens the page in a web browser and tries to subscribe on the user’s behalf. If the process demands a verification code, the malware retrieves it from the device’s notifications, to which it had obtained access during the initial launch.
After discovering the verification code, the Trojan inserts it into the corresponding field and finalizes the subscription procedure. The user, who remains oblivious to the fact, continues to utilize the application’s genuine features, such as editing photos or installing wallpapers. However, in reality, they are unknowingly enrolled in a paid service.
Entering confirmation code (Kaspersky)
The creators of the Trojan have made changes to make it harder to detect by security tools. They moved most of the subscription code to the native library and made the payload intercept notifications and view web pages, acting as a bridge between the native code and the Android components for subscription purchases. This makes the malware more complex to analyze. The payload doesn’t have much evasion capability, but the latest version has some code obfuscation.
MITRE ATT&CK Enterprise Identifiers
- T1005 (Data from Local System)
- T1027 (Obfuscated Files or Information)
- T1041 (Exfiltration Over C2 Channel)
- T1082 (System Information Discovery)
- T1105 (Ingress Tool Transfer)
- T1140 (Deobfuscate/Decode Files or Information)
- T1204.002 (Malicious File)
- T1444 (Masquerade as Legitimate Application)
- T1476 (Deliver Malicious App via Other Means)
- T1517 (Access Notifications)
- T1575 (Native API)
IOCs
MD5
- F671A685FC47B83488871AE41A52BF4C
- 5CE7D0A72B1BD805C79C5FE3A48E66C2
- D39B472B0974DF19E5EFBDA4C629E4D5
- 175C59C0F9FAB032DDE32C7D5BEEDE11
- 101500CD421566690744558AF3F0B8CC
- 7F391B24D83CEE69672618105F8167E1
- F3ECF39BB0296AC37C7F35EE4C6EDDBC
- E92FF47D733E2E964106EDC06F6B758A
- B66D77370F522C6D640C54DA2D11735E
- 3D0A18503C4EF830E2D3FBE43ECBE811
- 1879C233599E7F2634EF8D5041001D40
- C5DD2EA5B1A292129D4ECFBEB09343C4
- DD16BD0CB8F30B2F6DAAC91AF4D350BE
- 2B6B1F7B220C69D37A413B0C448AA56A
- AA1CEC619BF65972D220904130AED3D9
- 0BEEC878FF2645778472B97C1F8B4113
- 40C451061507D996C0AB8A233BD99FF8
- 37162C08587F5C3009AFCEEC3EFA43EB
- BDBBF20B3866C781F7F9D4F1C2B5F2D3
- 063093EB8F8748C126A6AD3E31C9E6FE
- 8095C11E404A3E701E13A6220D0623B9
- ECDC4606901ABD9BB0B160197EFE39B7
C&C
- hxxp://ac.iprocam[.]xyz
- hxxp://ad.iprocam[.]xyz
- hxxp://ap.iprocam[.]xyz
- hxxp://b7.photoeffect[.]xyz
- hxxp://ba3.photoeffect[.]xyz
- hxxp://f0.photoeffect[.]xyz
- hxxp://m11.slimedit[.]live
- hxxp://m12.slimedit[.]live
- hxxp://m13.slimedit[.]live
- hxxp://ba.beautycam[.]xyz
- hxxp://f6.beautycam[.]xyz
- hxxp://f8a.beautycam[.]xyz
- hxxp://ae.mveditor[.]xyz
- hxxp://b8c.mveditor[.]xyz
- hxxp://d3.mveditor[.]xyz
- hxxp://fa.gifcam[.]xyz
- hxxp://fb.gifcam[.]xyz
- hxxp://fl.gifcam[.]xyz
- hxxp://a.hdmodecam[.]live
- hxxp://b.hdmodecam[.]live
- hxxp://l.hdmodecam[.]live
- hxxp://vd.toobox[.]online
- hxxp://ve.toobox[.]online
- hxxp://vt.toobox[.]online
- hxxp://54.245.21[.]104
- hxxp://t1.twmills[.]xyz
- hxxp://t2.twmills[.]xyz
- hxxp://t3.twmills[.]xyz
- hxxp://api.odskguo[.]xyz
- hxxp://gbcf.odskguo[.]xyz
- hxxp://track.odskguo[.]xyz
Conclusion
The Trojan contained Thai MCC and MNC values hardcoded for testing, and Thai-speaking users were the dominant reviewers of the infected apps on Google Play. Despite this, victims of the malware were also found in other countries such as Poland, Malaysia, Indonesia, and Singapore.
The Trojan is evolving in such a way the user is not aware of all the malicious background activity and continues to use the legitimate features available in the app. To prevent financial loss due to malware infection, it’s advisable to exercise caution with apps, even if they are from Google Play. Avoid granting unnecessary permissions and install an antivirus program that can detect this type of Trojan.
I hope this article helped in learning what is Fleckpe (Android Subscription Trojans) and how Fleckpe affects Android users. Please share this post and help secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
Frequently Asked Questions:
Fleckpe is a new Android malware discovered by Kaspersky on the Google Play Store. It disguises itself as a legitimate app and charges users for premium services without their consent.
Fleckpe falls under the category of subscription malware. This type of malware charges users for premium services without their knowledge or consent.
Once the infected app is launched, Fleckpe loads a malevolent dropper that decrypts and executes a payload extracted from the app’s assets. It then establishes communication with the command-and-control (C&C) server, receiving subscription pages that require payment. The Trojan opens the page invisibly in a web browser and attempts to subscribe on the user’s behalf. It can also retrieve verification codes from the device’s notifications, completing the subscription process without the user’s knowledge.
The infected apps were primarily distributed as image editors and premium wallpaper apps. Some of the identified apps include com.impressionism.prozs.app, com.picture.picture frame, com.beauty.slimming.pro, com.beauty.camera.plus.photo editor, and com.microclip.vodeoeditor among others.
To protect yourself from Fleckpe and other similar malware, exercise caution when downloading apps, even from trusted sources like Google Play. Avoid granting unnecessary permissions and consider installing an antivirus program that can detect this type of Trojan.
Fleckpe-disguised apps have been downloaded over 620,000 times as reported by Kaspersky. However, the real number might be higher as it’s unclear how many more infected apps are still available.
While the Trojan contained Thai MCC and MNC values for testing and Thai-speaking users were the dominant reviewers of the infected apps, victims of the malware have been found in other countries such as Poland, Malaysia, Indonesia, and Singapore.
Yes, Google has taken down 11 apps from the Play Store that were found to be infected with the Fleckpe Trojan. However, it’s uncertain how many more infected apps may still be available.
The creators of Fleckpe have made changes to make it harder to detect by security tools, moving most of the subscription code to the native library, and adding code obfuscation in the latest version. This makes the malware more complex to analyze.
The Trojan works in the background without the user’s knowledge. Users may notice unexpected charges for premium services or receive messages related to subscriptions they didn’t initiate. They might also notice unusual behavior in the infected app.
