Android subscription malware ‘Fleckpe’ found on Google Play

May 15, 2023 - TuxCare PR Team

Kaspersky Lab has discovered a new Android subscription virus known as ‘Fleckpe’ on Google Play, the main software store for Android smartphones. This virus, disguised as legal programs, has amassed over 620,000 downloads, posing a serious threat to unwary people all around the world.

Fleckpe, like other well-known Android viruses such as Jocker and Harly, charges customers for premium services without their knowledge. The major goal of the threat actors behind such malware is to benefit from unauthorized memberships by obtaining a share of the monthly or one-time costs produced by these premium services. Surprisingly, when threat actors manage these services themselves, they keep the full money, making it a tremendously successful plan.

Despite the fact that the virus has been active since last year, Kaspersky just recently found and recorded its presence. According to their data research, the bulk of Fleckpe’s victims live in Thailand, Malaysia, Indonesia, Singapore, and Poland, with a lower number of infections recorded globally.

Kaspersky’s study resulted to the discovery of 11 Fleckpe trojan applications posing as image editors, photo libraries, premium wallpapers, and other services on Google Play. The malicious programs went under a variety of names, including com.impressionism.prozs.app, com.picture.pictureframe, com.beauty.slimming.pro, com.beauty.camera.plus.photoeditor, com.microclip.vodeoeditor, com.gif.camera.editor, com.apps.camera.photos, com.toolbox.photoeditor, com.hd.h4ks.wallpaper, com.draw.graffiti, and com.urox.opixe.nightcamreapro. However, these apps have already been removed from the marketplace, according to Kaspersky.

The malicious program asks access to notification content upon installation, allowing it to grab membership confirmation numbers from premium services. When the Fleckpe app is started, it decodes a concealed payload containing malicious code, which is then executed. This payload connects to the threat actor’s command and control (C2) server, transmitting vital information about the infected device, such as the Mobile Country Code (MCC) and Mobile Network Code (MNC).

The C2 server answers with a URL address, which the malware loads into an invisible web browser window. The victim gets secretly enrolled to a premium service as a result of this approach. If a confirmation code is necessary, the virus immediately collects it from the device’s notifications and inserts it on the hidden screen, completing the subscription process. To further fool users, the app keeps performing its advertised functionality, such as picture editing or wallpaper installation, successfully hiding its actual purpose and minimizing suspicion.

Kaspersky has discovered that developers have moved the majority of the subscription code from the payload to the native library in recent versions of Fleckpe. This change enables the payload to concentrate on intercepting alerts and presenting web pages. By dividing the duties, the virus gets more sophisticated and elusive, making it more difficult for users to identify unlawful activity behind the scenes.

The sources for this piece include an article in InfoSecurityMagazine

Summary