Fleckpe Malware havocking Millions of Android Devices

Researchers identified a new malware family infecting apps that were available for download on the official Google Play store and have been installed on more than 620,000 Android devices.

The malware called as  Fleckpe, a subscription-based app that usually goes unnoticed until the victim discovers they’ve been charged for services they did not purchase.

Active since 2022, the Fleckpe malware has been spread via Google Play in photo editing apps and smartphone wallpaper packs. All 11 apps infected apps were removed by the app store, but researchers suggested the malware could be more pervasive and still active.

Upon starting, the app loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app asset. The payload sends the command-and-control server the infected device’s country code and mobile carrier.

The C2 server then sends a paid subscription page, which the trojan opens in an invisible web browser to attempt to subscribe the user, which the malware will get a confirmation code, if needed, from notifications. After completing the subscription process, the victim uses the app’s legitimate functionality none the wiser.

Recent versions of the Fleckpe trojan upgraded the native library by moving most of the subscription code there to make it more difficult to detect.

The telemetry also showed victims in Poland, Malaysia, and Singapore. The operators of the trojan are increasingly turning to official marketplaces like Google Play to spread, and recommended users to be cautious when installing apps.

Indicators of Compromise

Hashes

• F671A685FC47B83488871AE41A52BF4C
• 5CE7D0A72B1BD805C79C5FE3A48E66C2
• D39B472B0974DF19E5EFBDA4C629E4D5
• 175C59C0F9FAB032DDE32C7D5BEEDE11
• 101500CD421566690744558AF3F0B8CC
• 7F391B24D83CEE69672618105F8167E1
• F3ECF39BB0296AC37C7F35EE4C6EDDBC
• E92FF47D733E2E964106EDC06F6B758A
• B66D77370F522C6D640C54DA2D11735E
• 3D0A18503C4EF830E2D3FBE43ECBE811
• 1879C233599E7F2634EF8D5041001D40
• C5DD2EA5B1A292129D4ECFBEB09343C4
• DD16BD0CB8F30B2F6DAAC91AF4D350BE
• 2B6B1F7B220C69D37A413B0C448AA56A
• AA1CEC619BF65972D220904130AED3D9
• 0BEEC878FF2645778472B97C1F8B4113
• 40C451061507D996C0AB8A233BD99FF8
• 37162C08587F5C3009AFCEEC3EFA43EB
• BDBBF20B3866C781F7F9D4F1C2B5F2D3
• 063093EB8F8748C126A6AD3E31C9E6FE
• 8095C11E404A3E701E13A6220D0623B9
• ECDC4606901ABD9BB0B160197EFE39B7

C2 Locations

• hxxp://ac.iprocam[.]xyz
• hxxp://ad.iprocam[.]xyz
• hxxp://ap.iprocam[.]xyz
• hxxp://b7.photoeffect[.]xyz
• hxxp://ba3.photoeffect[.]xyz
• hxxp://f0.photoeffect[.]xyz
• hxxp://m11.slimedit[.]live
• hxxp://m12.slimedit[.]live
• hxxp://m13.slimedit[.]live
• hxxp://ba.beautycam[.]xyz
• hxxp://f6.beautycam[.]xyz
• hxxp://f8a.beautycam[.]xyz
• hxxp://ae.mveditor[.]xyz
• hxxp://b8c.mveditor[.]xyz
• hxxp://d3.mveditor[.]xyz
• hxxp://fa.gifcam[.]xyz
• hxxp://fb.gifcam[.]xyz
• hxxp://fl.gifcam[.]xyz
• hxxp://a.hdmodecam[.]live
• hxxp://b.hdmodecam[.]live
• hxxp://l.hdmodecam[.]live
• hxxp://vd.toobox[.]online
• hxxp://ve.toobox[.]online
• hxxp://vt.toobox[.]online
• hxxp://54.245.21[.]104
• hxxp://t1.twmills[.]xyz
• hxxp://t2.twmills[.]xyz
• hxxp://t3.twmills[.]xyz
• hxxp://api.odskguo[.]xyz
• hxxp://gbcf.odskguo[.]xyz
• hxxp://track.odskguo[.]xyz