A new Android subscription malware named ‘Fleckpe’ has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times.
Kaspersky reveals that Fleckpe is the newest addition to the realm of malware that generates unauthorized charges by subscribing users to premium services, joining the ranks of other malicious Android malware, such as Jocker and Harly.
Threat actors make money from unauthorized subscriptions by receiving a share of the monthly or one-time subscription fees generated through the premium services. When the threat actors operate the services, they keep the entire revenue.
Kaspersky’s data suggests that the trojan has been active since last year but was only recently discovered and documented.
Most victims of Fleckpe reside in Thailand, Malaysia, Indonesia, Singapore, and Poland, but a smaller number of infections are to be found across the globe.
Kaspersky discovered 11 Fleckpe trojan apps impersonating image editors, photo libraries, premium wallpapers, and more on Google Play, distributed under the following names:
“All of the apps had been removed from the marketplace by the time our report was published, but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.” explains Kaspersky in its report.
Android users who have previously installed the apps listed above are advised to remove them immediately and run an AV scan to uproot any remnants of malicious code still hidden in the device.
Subscribing you in the background
Upon installation, the malicious app requests access to notification content required to capture subscription confirmation codes on many premium services.
When a Fleckpe app launches, it decodes a hidden payload that contains malicious code, which is then executed.
This payload is responsible for contacting the threat actor’s command and control (C2) server to send basic information about the newly infected device, including the MCC (Mobile Country Code) and MNC (Mobile Network Code).
The C2 responds with a website address which the trojan opens in an invisible web browser window and subscribes the victim to a premium service.
If a confirmation code needs to be entered, the malware will retrieve it from the device’s notifications and submit it on the hidden screen to finalize the subscription.
The app’s foreground still offers victims the promised functionality, hiding their real purpose and reducing the likelihood of raising suspicions.
In the latest versions of Fleckpe analyzed by Kaspersky, developers have shifted most of the subscription code from the payload to the native library, leaving the payload responsible for intercepting notifications and displaying web pages.
Additionally, a layer of obfuscation has been incorporated into the most recent payload version.
Kaspersky believes the malware’s creators implemented these modifications to increase Fleckpe’s evasiveness and make it more challenging to analyze.
While not as dangerous as spyware or data-stealing malware, subscription trojans can still incur unauthorized charges, collect sensitive information about the user of the infected device, nd potentially serve as entry points for more potent payloads.
To protect against these threats, Android users are advised to only download apps from trusted sources and developers and pay attention to the requested permissions during installation.