It’s called a new Android subscription malware Fleckpe has been discovered on the Google Play Store, accumulating over 620,000 total downloads since 2022.
Kaspersky, which identified 11 apps in the official app store, said the malware masqueraded as legitimate photo-editing apps, camera and wallpaper packs for smartphones. The apps have since been pulled.
The operation primarily targeted users in Thailand, although telemetry data collected by the Russian cybersecurity firm has revealed victims in Poland, Malaysia, Indonesia and Singapore.
Apps offer the promised functionality to avoid raising red flags, but hide their real purpose under the hood. The list of offending apps is as follows:
- Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
- Beauty Photo Camera (com.apps.camera.photos)
- Beauty Slimming Photo Editor (com.beauty.slimming.pro)
- Fingertip Graffiti (com.draw.graffiti)
- GIF Camera Editor (com.gif.camera.editor)
- HD 4K Wallpaper (com.hd.h4ks.wallpaper)
- Impressionism Pro Camera (com.impressionism.prozs.app)
- Microclip Video Editor (com.microclip.vodeoeditor)
- Night Mode Camera Pro (com.urox.opixe.nightcamreapro)
- Photo Camera Editor (com.toolbox.photoeditor)
- Photo Effects Editor (com.picture.pictureframe)
“When the application is launched, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and executes a payload from the application’s assets,” said Kaspersky researcher Dmitry Kalinin.
The payload, on the other hand, is designed to contact a remote server and transmit information about the compromised device (for example, mobile country code and mobile network code), after which the server responds with a page of paid subscription.
The malware then opens the page in an invisible web browser window and attempts to subscribe on behalf of the user by abusing their permissions to access notifications and obtain the confirmation code needed to complete the step.
In a sign that Fleckpe is actively being developed, recent versions of the malware have moved most of the malicious functionality into the native library in an attempt to evade detection by security tools.
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
“The payload now only intercepts notifications and displays web pages, acting as a bridge between the native code and the Android components required to purchase a subscription,” Kalinin noted.
“Unlike the native library, the payload has virtually no evasion capabilities, although malicious actors did add some code obfuscation in the latest version.”
This isn’t the first time subscription malware has been found in the Google Play Store. Fleckpe joins other fleeceware families such as Joker (also known as Bread or Jocker) and Harly, which subscribe infected devices to unwanted premium services and conduct billing fraud.
Although these applications are not as dangerous as spyware or financial Trojans, they can still incur unauthorized charges and be reused by their operators to collect a wide range of sensitive information and serve as entry points for most nefarious malware.
If anything, the findings are another indication that threat actors continue to discover new ways to get their apps into official app markets to scale their campaigns, requiring users to exercise caution when downloading apps and grant permissions.
“The increasing complexity of Trojans has allowed them to successfully evade many anti-malware checks implemented by the marketplaces, going undetected for long periods of time,” Kalinin said.
Source link
Ikaroa, a full stack tech company, is the latest organization to sound the warning on a dangerous new form of Android malware dubbed ‘Fleckpe’. According to intelligence analysts, Fleckpe has found its way onto the Google Play Store, where it had already been downloaded more than 620,000 times.
Fleckpe is a particularly disturbing form of malware that is designed to steal user data, such as email addresses, passwords, and financial information. It has been designed to be difficult to detect, meaning it can go unnoticed for long periods of time. The malware has been observed to be able to collect location information, take screenshots, and initiate recordings. Moreover, it is able to exfiltrate the stolen data to a remote server.
The malware has been growing in popularity and is now present in around 100 applications, making it critical for users who have downloaded any questionable apps to run a reliable antimalware solution on their Android devices.
At Ikaroa, we take the security of our customers seriously, and encourage all users to remain vigilant with the apps they download. The Google Play Store is the largest repository of Android apps, but this incident serves as a reminder to take precautions when downloading software, as even trusted stores can be infiltrated. Users are urged to ensure that the apps they download come from a trusted source and have a verifiable security record.
