Pierluigi Paganini
May 05, 2023
Fleckpe is a new Android subscription Trojan that spreads via Google Play, the malware discovered by Kaspersky is hidden in photo editing apps, smartphone wallpaper packs, and other general-purpose apps.
The malicious campaign has been active since 2022, the experts discovered eleven apps infected with Fleckpe on Google Play, which have been installed on more than 620,000 devices. Once discovered, the apps have been quickly removed from the Play Store, but the threat actors might have already uploaded other tainted apps that have yet to be discovered.
Upon executing one of the infected apps, it loads a heavily obfuscated native library containing a dropper that decrypts and runs malicious code from the app assets.
The payload sends information about the infected device to the C2 servers, including the MCC (Mobile Country Code) and MNC (Mobile Network Code). In turn, the C2 server returns a paid subscription page. The Trojan opens the page in an invisible web browser and attempts to complete a subscription of the victim. In case the subscription process requires a confirmation code, the malware is able to get it from the notifications.
Once installed, the apps continue providing their legitimate functionality, for example, installing wallpapers, after the victim has been subscribed to a paid service
The experts noticed that the authors of the malware are upgrading it, for example, they moved most of the subscription code to the native library. The payload is only used to intercept notifications and view web pages. This move makes hard the analysis and the detection of the malware.
Most of the victims are from Thailand, however, other infections were observed in Poland, Malaysia, Indonesia, and Singapore.
“Sadly, subscription Trojans have only gained popularity with scammers lately. Their operators have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many anti-malware checks implemented by the marketplaces, remaining undetected for long periods of time.” concludes the report that also includes Indicators of Compromise (IoCs).
“To avoid malware infection and subsequent financial loss, we recommend to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of Trojans.”
Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini
Please nominate Security Affairs as your favorite blog.
Nominate Pierluigi Paganini and Security Affairs here here:
https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Fleckpe malware)
Security / November 03, 2025
