Kaspersky recently discovered a new Android subscription malware named Fleckpe that has accumulated over 620,000 downloads since 2022. 11 apps on the Google Play Store contain the malware masqueraded as legitimate photo editing apps, cameras, and smartphone wallpaper packs, targeting primarily users from Thailand. The apps are no longer present in the store. However, telemetry data collected by the cybersecurity firm has identified victims in Poland, Malaysia, Indonesia, and Singapore.
The threat actors avoid suspicions by ensuring the apps provide the promised functionality but hide their actual purpose. The offending apps include Beauty Camera Plus, Beauty Photo Camera, Beauty Slimming Photo Editor, Fingertip Graffiti, GIF Camera Editor, HD 4K Wallpaper, Impressionism Pro Camera, Microclip Video Editor, Night Mode Camera Pro, Photo Camera Editor, Photo Effect Editor.
When launching the app, a heavily obfuscated native library is loaded, containing a malicious dropper that decrypts and runs a payload from the app assets. This payload then contacts a remote server, transmitting information about the compromised device, following which the server responds with a paid subscription page. The malware opens the page in an invisible web browser window with attempts to subscribe on the user’s behalf by abusing its permissions to access notifications and obtain the confirmation code required to complete the step.
Recent versions of Fleckpe have moved most malicious functionality to the native library to evade detection by security tools. However, the malware developers have added code obfuscation to the latest version to improve the malware’s evasion capabilities.
While subscription malware like Fleckpe is less dangerous, unlike spyware or financial trojans, it can still incur unauthorized charges. It is repurposable by its operators to harvest sensitive information and serve as entry points for more nefarious malware.
As such, users must exercise caution when downloading apps and granting permissions to them as threat actors are discovering new ways to sneak their apps onto official app marketplaces to scale their campaigns. Kaspersky warns that the growing complexity of trojans has allowed them to bypass many anti-malware checks implemented by the marketplaces, enabling them to remain undetected for extended periods.
