Fleckpe: A Subscription Trojan Infiltrating Google Play Store

Despite stringent security measures, the Google Play Store is not immune to malware attacks. One such recent discovery is a subscription Trojan called Fleckpe, which hides within seemingly innocent apps such as photo editing software and wallpaper packs. Subscription Trojans are particularly tricky, as they often go unnoticed until users are charged for services they never intended to purchase.

Fleckpe has been active since 2022, with Kaspersky researchers identifying eleven infected apps on Google Play. Although these apps have been removed, more than 620,000 devices have been affected, and the real number could be higher due to potential undiscovered apps.

Infected app package names include:

1. com.impressionism.prozs.app
2. com.picture.pictureframe
3. com.beauty.slimming.pro
4. com.beauty.camera.plus.photoeditor
5. com.microclip.vodeoeditor
6. com.gif.camera.editor
7. com.apps.camera.photos
8. com.toolbox.photoeditor
9. com.hd.h4ks.wallpaper
10. com.draw.graffiti
11. com.urox.opixe.nightcamreapro

The Trojan operates by loading a heavily obfuscated native library containing a malicious dropper when the app starts. This dropper decrypts and runs a payload from the app assets, which then contacts the threat actors’ Command & Control (C&C) server. The server returns a paid subscription page, which the Trojan opens in an invisible web browser and subscribes the user without their knowledge. If a confirmation code is needed, the malware accesses it through notifications.

As the victim uses the app’s legitimate functions, they remain unaware of the paid subscription. The Trojan continues to evolve, with its creators upgrading the native library to complicate analysis and make detection by security tools more difficult.

Though the Trojan contained hardcoded Thai Mobile Country Code (MCC) and Mobile Network Code (MNC) values, Kaspersky’s telemetry revealed victims in Poland, Malaysia, Indonesia, and Singapore. The infected apps on Google Play had a notable number of Thai-speaking users in their reviews, suggesting that the malware primarily targeted users from Thailand.

Kaspersky’s security products detect the malicious app as a Trojan.AndroidOS.Fleckpe. Subscription Trojans have been growing in popularity among scammers, as they successfully bypass anti-malware checks on marketplaces like Google Play and remain undetected for extended periods. This makes them a reliable source of illegal income for cybercriminals.

To avoid malware infection and financial loss, users should be cautious when downloading apps, even from Google Play, and avoid granting unnecessary permissions. Installing antivirus software capable of detecting such Trojans is also recommended.