Fleckpe Android Trojan infects over 620,000 users

11 apps found on Google Play were infected with Fleckpe Trojan

A new Android subscription malware named Fleckpe has been discovered on the Google Play Store, with more than 620,000 downloads since 2022. The malware primarily targets users in Thailand, but telemetry data gathered by Russian cybersecurity firm Kaspersky has revealed victims in other countries as well.^[1]

Kaspersky identified 11 apps on the official app storefront, masquerading as legitimate photo editing apps, camera, and smartphone wallpaper packs. The apps have since been taken down. These malicious apps offer the promised functionality to avoid raising red flags, but they conceal their real purpose under the hood.

Dmitry Kalinin, a researcher at Kaspersky, explained that when the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. The payload is designed to contact a remote server and transmit information about the compromised device (e.g., Mobile Country Code and Mobile Network Code), following which the server responds back with a paid subscription page.

Subscription fraud and unauthorized charges

Fleckpe then opens the page in an invisible web browser window and attempts to subscribe on the user's behalf by abusing its permissions to access notifications and obtain the confirmation code required to complete the step. In recent versions of the malware, most of the malicious functionality has been moved to the native library in an attempt to evade detection by security tools.

The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription. Kalinin noted that:^[1]

Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version.

While not as dangerous as spyware or financial trojans, subscription malware like Fleckpe can still incur unauthorized charges and be repurposed by its operators to harvest a wide range of sensitive information and serve as entry points for more nefarious malware.

Fleckpe joins other fleeceware families like Joker (aka Bread or Jocker)^[2] and Harly, which subscribe infected devices to unwanted premium services and conduct billing fraud. When threat actors operate the services, they keep the entire revenue.

The global reach of Fleckpe

Although the malware primarily targets Thai users, Kaspersky's data suggests that a smaller number of infections are found across the globe. Most victims of Fleckpe reside in Thailand, Malaysia, Indonesia, Singapore, and Poland.

Android users who have previously installed the infected apps are advised to remove them immediately and run an antivirus scan to uproot any remnants of malicious code still hidden in the device.

The Fleckpe Android malware serves as a reminder that threat actors continue to find new ways to sneak their apps onto official app marketplaces to scale their campaigns. Users should exercise caution when downloading apps and granting permissions to them.

Kaspersky believes the malware's creators implemented the modifications in recent versions to increase Fleckpe's evasiveness and make it more challenging to analyze. As a result, the growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods.^[3]

Protecting yourself from subscription Trojans

To avoid malware infection and subsequent financial loss, it is essential to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of trojan.

Kaspersky's findings highlight the importance of only downloading apps from trusted sources and developers and paying attention to the requested permissions during installation. Furthermore, it's crucial to remain vigilant and regularly review your device's subscriptions and charges to detect any unauthorized activities.