A new Android subscription malware called Flekpe has been unearthed on the Google Play Store, amassing a total of over 620,000 downloads since 2022.
Kaspersky, which identified 11 apps in the official app storefront, said the malware disguised itself as legitimate photo-editing apps, cameras and mobile wallpaper packages. The application has been removed.
The operation mainly targeted users from Thailand, although telemetry data collected by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia and Singapore.
Apps offer the promised functionality to avoid raising red flags, but hide their true purpose under the hood. The list of offending apps is as follows –
- Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
- Beauty Photo Camera (com.apps.camera.photos)
- Beauty Slimming Photo Editor (com.beauty.slimming.pro)
- Fingertip Graffiti (com.draw.graffiti)
- GIF Camera Editor (com.gif.camera.editor)
- HD Wallpapers 4K (com.hd.h4ks.wallpaper)
- Impressionism Pro Camera (com.impressionism.prozs.app)
- Microclip Video Editor (com.microclip.vodeoeditor)
- Camera Night Mode Pro (com.urox.opixe.nightcamreapro)
- Photo Camera Editor (com.toolbox.photoeditor)
- Photo Effects Editor (com.picture.pictureframe)
“When the application starts, it loads a highly obfuscated native library which contains a malicious dropper that decrypts and executes the payload from the application’s assets,” Kaspersky researcher Dmitry Kalinin said.
The payload, for its part, is designed to contact a remote server and send information about the compromised device (for example, Mobile Country Code and Mobile Network Code), which is followed by the server responding back with a paid subscription page.
The malware then opens the page in an invisible web browser window and attempts to subscribe on behalf of the user by abusing his permission to access notifications and obtain the confirmation code required to complete the step.
In a sign that Fleckpe is being actively developed, the latest version of the malware has moved most of its malicious functionality to the original library to avoid detection by security tools.
“The payload now simply intercepts notifications and views web pages, acting as a bridge between the native code and the Android components needed to buy a subscription,” Kalinin said.
“Unlike the original library, the payload has almost no evasion capabilities, although the bad actors added some code obfuscation to recent versions.”
This is not the first time subscription malware has been found on the Google Play Store. Fleckpe joins other fleeceware families such as the Joker (aka Bread or Jocker) and Harrywho subscribe infected devices to unwanted premium services and commit billing fraud.
Even if such applications are not as malicious as spyware or financial trojans, they can still be charged illegally and reused by their operators to retrieve various sensitive information and serve as entry points for more malicious malware.
If anything, the findings are yet another indication that threat actors continue to find new ways to sneak their apps into the official app marketplace to scale their campaigns, requiring users to be careful when downloading apps and granting them permission.
“The increased complexity of trojans has allowed them to successfully pass many of the anti-malware checks implemented by the market, remaining undetected for long periods of time,” said Kalinin.