Fleckpe Mobile Malware Hides in Photo Editing Apps

A newly discovered malware called Fleckpe has been found on the Google Play Store and has accumulated over 620,000 downloads since 2022.

Security researchers identified 11 apps on the app store that appeared to be legitimate photo editing apps, camera, and smartphone wallpaper packs but were actually hiding the malware. The apps have been removed from the store. The malware primarily targets users in Thailand, but telemetry data shows victims in Poland, Malaysia, Indonesia, and Singapore.

The apps provide promised functionality to avoid suspicion but contain a malicious dropper that runs a payload from the app assets. The payload contacts a remote server and sends information about the compromised device, including the Mobile Country Code and Mobile Network Code. The server responds with a paid subscription page, which the malware opens in an invisible browser window and tries to subscribe on the user's behalf. Recent versions of the malware have moved most of the malicious functionality to the native library to evade detection by security tools.

Fleckpe is not the first subscription malware to be found on the Google Play Store. Other fleeceware families like Joker and Harly have also been discovered, subscribing infected devices to unwanted premium services and conducting billing fraud. While subscription malware is not as dangerous as spyware or financial trojans, it can still result in unauthorized charges and be used to harvest sensitive information or serve as entry points for more malicious malware.

These findings highlight the continued discovery of new methods by threat actors to sneak their apps onto official app marketplaces, requiring users to exercise caution when downloading apps and granting permissions.

What Are Some of the Methods Threat Actors Can Use to Hide Malware in Android Apps?

Threat actors can use various methods to hide malware in Android apps, some of which include:

• Obfuscation: Malware authors can use obfuscation techniques to hide the malicious code in an app. This can include renaming functions, altering variable names, and using encryption to make the code harder to analyze.
• Social Engineering: Malware authors can use social engineering tactics to trick users into downloading and installing malicious apps. This can involve creating fake apps that appear to be legitimate, using misleading app descriptions or icons, or posing as a legitimate app in order to gain user trust.
• Repackaging: Malware authors can repackage legitimate apps with malicious code and distribute them through third-party app stores or other channels. This can make it harder for users to detect the malware since the app appears to be legitimate.
• Exploiting App Vulnerabilities: Malware authors can exploit vulnerabilities in legitimate apps to inject malicious code or gain elevated privileges on the device. This can allow the malware to evade detection and perform a variety of malicious actions.
• Using Rootkits: Malware authors can use rootkits to hide malware on an infected device. A rootkit is a type of malware that is designed to conceal itself from the operating system and other software running on the device. This can make it much harder to detect and remove the malware.