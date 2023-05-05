



May 5, 2023 Ravie Lakshmanan Mobile Security / Android

A new Android subscription malware named Fleckpe has been spotted on the Google Play store and has been downloaded over 620,000 times in total since 2022.

According to Kaspersky, which identified 11 apps on its official app storefront, the malware disguised itself as a legitimate photo-editing app, camera, and smartphone wallpaper pack. The app has since been removed.

Telemetry data collected by a Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia, and Singapore, but the operation is primarily targeted at users in Thailand.

These apps additionally deliver promised functionality to avoid raising red flags, but hide their true purpose under the hood.

Beauty Camera Plus (com.beauty.camera.plus.photoeditor) Beauty Photo Camera (com.apps.camera.photos) Beauty Slimming Photo Editor (com.beauty.slimming.pro) Fingertip Graffiti (com.draw.graffiti) GIF Camera Editor (com.gif.camera.editor) HD 4K Wallpaper (com.hd.h4ks.wallpaper) Impressionism Pro Camera (com.impressionism.prozs.app) Microclip Video Editor (com.microclip.vodeoeditor) Night Mode Camera Pro ( com .urox.opixe.nightcamreapro) Photo Camera Editor (com.toolbox.photoeditor) Photo Effect Editor (com.picture.pictureframe)

“When the app launches, it loads a highly obfuscated native library containing a malicious dropper that decrypts and executes the payload from the app’s assets,” said Kaspersky researcher Dmitry Kalinin.

The payload is designed to connect to a remote server and send information about the compromised device, such as mobile country code and mobile network code. The server then responds with a paid subscription page.

The malware then attempts to subscribe on the user’s behalf by opening a page in an invisible web browser window and abusing the permissions to access the notification and obtain the verification code required to complete the procedure. will do.

In a sign of Fleckpe’s active development, recent versions of the malware have moved most of their malicious functionality into native libraries to avoid detection by security tools.

“The payload currently just intercepts the notification and displays a web page, acting as a bridge between the native code and the Android component required to purchase the subscription,” said Kalinin.

“Unlike native libraries, the payload has few evasive capabilities, but malicious actors have added code obfuscation to the latest versions.”

This isn’t the first time subscription malware has been spotted on the Google Play store. Fleckpe joins other fleeceware families such as Joker (aka Bread or Jocker) and Harly to subscribe infected devices to unwanted premium services and perform fraudulent billing.

While such apps are not as dangerous as spyware or financial Trojans, they can generate fraudulent charges, gather various sensitive information from their operators, and serve as entry points for more malicious malware. may be diverted to

If anything, the findings indicate that attackers continue to find new ways to sneak apps into official app marketplaces to expand their campaigns, allowing users to download and access apps. Care must be taken when granting permissions.

“Trojans are becoming more sophisticated, successfully bypassing many anti-malware checks implemented by the market and remaining undetected for long periods of time,” said Kalinin.

