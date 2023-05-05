



Occasionally, we come across malicious apps on Google Play that seem harmless at first. The most sophisticated of these are subscription Trojans, which often go unnoticed until users realize they are being charged for services they did not intend to purchase. This kind of malware often infiltrates official Android app marketplaces. The Jocker family and the recently discovered Harly family are just two examples of this. The newest discovery, which we call ‘Fleckpe’, also spreads via Google Play as part of photo editing apps, smartphone wallpaper packs and more.

Fleckpe Technical Description

Our data suggests that this Trojan has been active since 2022. Eleven of his Fleckpe-infected apps have been found on Google Play and are installed on more than 620,000 of his devices. All of the apps had been removed from the market at the time the report was published, but the actual number of installs may be higher as malicious actors may have deployed other apps that have yet to be discovered. There are many possibilities.

And here’s an explanation of Fleckpe’s modus operandi. When the app starts, it loads a highly obfuscated native library containing a malicious dropper that decrypts and executes payloads from app assets.

Loading malicious libraries

The payload connects to the attacker’s C&C server and sends information about the infected device, such as MCC (Mobile Country Code) and MNC (Mobile Network Code). These information can be used to identify the victim’s country and carrier. The C&C server returns a paid subscription page. The Trojan opens a page in her invisible web browser and attempts to subscribe on the user’s behalf. If this requires a verification code, the malware gets it from the notification (access requested on first run).

Notification interception

Once it finds the code, the Trojan enters it into the appropriate field and completes the subscription process. Victims continue to use the app’s legitimate features, such as installing wallpapers and editing photos, unaware that they are subscribing to a paid service.

Enter verification code

Trojans continue to evolve. In recent versions, the author upgraded the native library by moving most of the subscription code into the native library. The payload will simply intercept the notification and display her web page, acting as a bridge between the native code and her Android component required to purchase the subscription. This was done to greatly complicate analysis and make it difficult for security tools to detect the malware. Unlike native libraries, the payload has few evasive capabilities, but malicious actors have added code obfuscation to the latest version.

Core logic in native methods

victim

The Trojan was found to contain hard-coded Thai MCC and MNC values. These were probably used for testing. Google Play’s reviews of infected apps were particularly dominated by Thai-speaking users. This convinced me that this particular malware was targeting users in Thailand, but telemetry showed victims in Poland, Malaysia, Indonesia, and Singapore.

Thai test MCC and MNC values

Kaspersky security products detect malicious apps as Trojan.AndroidOS.Fleckpe.

Conclusion

Sadly, subscription Trojans are only becoming popular among scammers these days. Their operators increasingly rely on official marketplaces like Google Play to spread malware. Due to the increased complexity of the Trojan, it successfully evaded many anti-malware checks implemented in the market and remained undetected for long periods of time. Affected users often don’t immediately find the unwanted subscriptions, much less know how they originated in the first place. All of this makes subscription Trojans a reliable and illicit source of income for cybercriminals.

In order to avoid malware infection and subsequent economic loss, pay attention to apps, even from Google Play, do not allow apps, and have an antivirus that can detect this kind of Trojan. We recommend that you install the product.

IOCs

package name.wallpapercom.draw.graffiticom.urox.opixe.nightcamreapro

MD5F671A685FC47B83488871AE41A52BF4C5CE7D0A72B1BD805C79C5FE3A48E66C2D39B472B0974DF19E5EFBDA4C629E4D5175C59C0F9FAB032DDE32C7D5BEEDE11101500CD421566690744558AF3F0B8CC7F391B24D83CEE69672618105F8167E1F3ECF39BB0296AC37C7F35EE4C6EDDBCE92FF47D733E2E964106EDC06F6B758AB66D77370F522C6D640C54DA2D11735E3D0A18503C4EF830E2D3FBE43ECBE8111879C233599E7F2634EF8D5041001D40C5DD2EA5B1A292129D4ECFBEB09343C4DD16BD0CB8F30B2F6DAAC91AF4D350BE2B6B1F7B220C69D37A413B0C448AA56AAA1CEC619BF65972D220904130AED3D90BEEC878FF2645778472B97C1F8B411340C451061507D996C0AB8A233BD99FF837162C08587F5C3009AFCEEC3EFA43EBBDBBF20B3866C781F7F9D4F1C2B5F2D3063093EB8F8748C126A6AD3E31C9E6FE8095C11E404A3E701E13A6220D0623B9ECDC4606901ABD9BB0B160197EFE39B7

C&Chxxp://ac.iprocam[.]xyzhxxp://ad.iprocam[.]xyzhxxp://ap.iprocam[.]xyzhxxp://b7.photoeffect[.]xyzhxxp://ba3.photoeffect[.]xyzhxxp://f0.photoeffect[.]xyzhxxp://m11.slimedit[.]livehxxp://m12.slimedit[.]livehxxp://m13.slimedit[.]livehxxp://ba.beautycam[.]xyzhxxp://f6.beautycam[.]xyzhxxp://f8a.beautycam[.]xyzhxxp://ae.mveditor[.]xyzhxxp://b8c.mveditor[.]xyzhxxp://d3.mveditor[.]xyzhxxp://fa.gifcam[.]xyzhxxp://fb.gifcam[.]xyzhxxp://fl.gifcam[.]xyzhxxp://a.hdmodecam[.]livehxxp://b.hdmodecam[.]livehxxp://l.hdmodecam[.]livehxxp://vd.toobox[.]onlinehxxp://ve.toobox[.]onlinehxxp://vt.toobox[.]onlinehxxp://54.245.21[.]104hxxp://t1.twmills[.]xyzhxxp://t2.twmills[.]xyzhxxp://t3.twmills[.]xyzhxxp://api.odskguo[.]xyzhxxp://gbcf.odskguo[.]xyzhxxp://track.odskguo[.]xyz

