Google play store is the trusted place for Android users to download and install mobile apps safely, but what if the trusted source itself is spreading malicious applications? Every once in a while, we can find such kinds of malware lurking as harmless apps. The most popular service is the subscription trojans which steal money without user intervention.
In this article, we will discuss what Fleckpe (Android Subscription Trojans) is and how Fleckpe affects Android users.
What is Fleckpe and How Does It Affect Android Users?
Kaspersky has reported the discovery of a new Android malware called ‘Fleckpe’ on the Google Play store. The malware disguises itself as legitimate apps and has been downloaded over 620,000 times. Fleckpe falls under the category of subscription malware that charges users for premium services without their consent.
It was observed that this malware has been active since 2022; a total of 11 trojan-infected apps were found and were successfully taken down by Google from the play store. However, we are not sure how many more of these malicious apps are still out in the wild, so the real number of installations can be higher.
The apps were distributed as image editors, premium wallpaper, etc. Below are the 11 apps.
- com.impressionism.prozs.app
- com.picture.picture frame
- com.beauty.slimming.pro
- com.beauty.camera.plus.photo editor
- com.microclip.vodeoeditor
- com.gif.camera.editor
- com.apps.camera.photos
- com.toolbox.photo editor
- com.hd.h4ks.wallpaper
- com.draw.graffiti
- com.urox.opixe.nightcamreapro
Trojan App on play store (Kaspersky)
Trojan App on play store (Kaspersky)
Fleckpe – Technical Analysis
Upon launching the application, a complexly obscured native library is loaded, which contains a malevolent dropper that decrypts and executes a payload extracted from the application’s assets.
Upon execution, the payload establishes communication with the command-and-control (C&C) server belonging to the threat actors. The server receives various information about the compromised device, including its Mobile Country Code (MCC) and Mobile Network Code (MNC), which can be utilized to determine the user’s carrier and country of origin. In response, the C&C server provides a subscription page that requires payment. The Trojan then invisibly opens the page in a web browser and tries to subscribe on the user’s behalf. If the process demands a verification code, the malware retrieves it from the device’s notifications, to which it had obtained access during the initial launch.
After discovering the verification code, the Trojan inserts it into the corresponding field and finalizes the subscription procedure. The user, who remains oblivious to the fact, continues to utilize the application’s genuine features, such as editing photos or installing wallpapers. However, in reality, they are unknowingly enrolled in a paid service.
Entering confirmation code (Kaspersky)
The creators of the Trojan have made changes to make it harder to detect by security tools. They moved most of the subscription code to the native library and made the payload intercept notifications and view web pages, acting as a bridge between the native code and the Android components for subscription purchases. This makes the malware more complex to analyze. The payload doesn’t have much evasion capability, but the latest version has some code obfuscation.
MITRE ATT&CK Enterprise Identifiers
- T1005 (Data from Local System)
- T1027 (Obfuscated Files or Information)
- T1041 (Exfiltration Over C2 Channel)
- T1082 (System Information Discovery)
- T1105 (Ingress Tool Transfer)
- T1140 (Deobfuscate/Decode Files or Information)
- T1204.002 (Malicious File)
- T1444 (Masquerade as Legitimate Application)
- T1476 (Deliver Malicious App via Other Means)
- T1517 (Access Notifications)
- T1575 (Native API)
IOCs
MD5
- F671A685FC47B83488871AE41A52BF4C
- 5CE7D0A72B1BD805C79C5FE3A48E66C2
- D39B472B0974DF19E5EFBDA4C629E4D5
- 175C59C0F9FAB032DDE32C7D5BEEDE11
- 101500CD421566690744558AF3F0B8CC
- 7F391B24D83CEE69672618105F8167E1
- F3ECF39BB0296AC37C7F35EE4C6EDDBC
- E92FF47D733E2E964106EDC06F6B758A
- B66D77370F522C6D640C54DA2D11735E
- 3D0A18503C4EF830E2D3FBE43ECBE811
- 1879C233599E7F2634EF8D5041001D40
- C5DD2EA5B1A292129D4ECFBEB09343C4
- DD16BD0CB8F30B2F6DAAC91AF4D350BE
- 2B6B1F7B220C69D37A413B0C448AA56A
- AA1CEC619BF65972D220904130AED3D9
- 0BEEC878FF2645778472B97C1F8B4113
- 40C451061507D996C0AB8A233BD99FF8
- 37162C08587F5C3009AFCEEC3EFA43EB
- BDBBF20B3866C781F7F9D4F1C2B5F2D3
- 063093EB8F8748C126A6AD3E31C9E6FE
- 8095C11E404A3E701E13A6220D0623B9
- ECDC4606901ABD9BB0B160197EFE39B7
C&C
- hxxp://ac.iprocam[.]xyz
- hxxp://ad.iprocam[.]xyz
- hxxp://ap.iprocam[.]xyz
- hxxp://b7.photoeffect[.]xyz
- hxxp://ba3.photoeffect[.]xyz
- hxxp://f0.photoeffect[.]xyz
- hxxp://m11.slimedit[.]live
- hxxp://m12.slimedit[.]live
- hxxp://m13.slimedit[.]live
- hxxp://ba.beautycam[.]xyz
- hxxp://f6.beautycam[.]xyz
- hxxp://f8a.beautycam[.]xyz
- hxxp://ae.mveditor[.]xyz
- hxxp://b8c.mveditor[.]xyz
- hxxp://d3.mveditor[.]xyz
- hxxp://fa.gifcam[.]xyz
- hxxp://fb.gifcam[.]xyz
- hxxp://fl.gifcam[.]xyz
- hxxp://a.hdmodecam[.]live
- hxxp://b.hdmodecam[.]live
- hxxp://l.hdmodecam[.]live
- hxxp://vd.toobox[.]online
- hxxp://ve.toobox[.]online
- hxxp://vt.toobox[.]online
- hxxp://54.245.21[.]104
- hxxp://t1.twmills[.]xyz
- hxxp://t2.twmills[.]xyz
- hxxp://t3.twmills[.]xyz
- hxxp://api.odskguo[.]xyz
- hxxp://gbcf.odskguo[.]xyz
- hxxp://track.odskguo[.]xyz
Conclusion
The Trojan contained Thai MCC and MNC values hardcoded for testing, and Thai-speaking users were the dominant reviewers of the infected apps on Google Play. Despite this, victims of the malware were also found in other countries such as Poland, Malaysia, Indonesia, and Singapore.
The Trojan is evolving in such a way the user is not aware of all the malicious background activity and continues to use the legitimate features available in the app. To prevent financial loss due to malware infection, it’s advisable to exercise caution with apps, even if they are from Google Play. Avoid granting unnecessary permissions and install an antivirus program that can detect this type of Trojan.