We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Fleckpe Android Malware Installed 620,000 Times

Fleckpe Android Malware Installed 620,000 Times
Husain Parvez Published on 7th May 2023 Cybersecurity Researcher

The cybersecurity company Kaspersky recently detected 11 Trojan apps for the malware Fleckpe on the Google Play Store. These apps, disguised as media editors and wallpapers, subscribed unsuspecting users to unwanted paid services and were downloaded over 620,000 times. Although the apps did function as advertised, they also covertly executed a malicious payload which could communicate with the cybercriminal’s command and control server.

According to Kaspersky, this was the result of a new malware called Fleckpe, which joins other unauthorized subscription-generating Android malware like Jocker and Harly. Threat actors profit from these unauthorized subscriptions by taking a percentage of the monthly or one-time subscription fees generated by the premium services. In some cases, the threat actors themselves run the subscription services, allowing them to keep 100% of the revenue.

The malware campaign primarily targets users in Thailand, but Kaspersky's telemetry data indicates that victims in other countries like Poland, Malaysia, Indonesia, and Singapore have also been affected. The offending apps identified by Kaspersky are:

  • Beauty Camera Plus (com.beauty.camera.plus.photoeditor)
  • Beauty Photo Camera (com.apps.camera.photos)
  • Beauty Slimming Photo Editor (com.beauty.slimming.pro)
  • Fingertip Graffiti (com.draw.graffiti)
  • GIF Camera Editor (com.gif.camera.editor)
  • HD 4K Wallpaper (com.hd.h4ks.wallpaper)
  • Impressionism Pro Camera (com.impressionism.prozs.app)
  • Microclip Video Editor (com.microclip.vodeoeditor)
  • Night Mode Camera Pro (com.urox.opixe.nightcamreapro)
  • Photo Camera Editor (com.toolbox.photoeditor)
  • Photo Effect Editor (com.picture.pictureframe)

If you have one of the above apps currently installed, it’s recommended to uninstall it immediately and check your Google Play subscriptions for any unauthorized payments.

"When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets," Kaspersky researcher Dmitry Kalinin said in the report.

The trojan first contacts the attacker's command and control (C2) server, transmitting device information, such as Mobile Country Code (MCC) and Mobile Network Code (MNC).

The C2 server responds with a website address, which the app opens in an invisible web browser window to subscribe the victim to a premium service. If required, the malware retrieves a confirmation code from the device's notifications and submits it on the hidden screen to complete the subscription. The app's visible features continue to provide promised functionality, concealing its actual malicious purpose and reducing the likelihood of detection.

Recent versions of Fleckpe shift the subscription code from the payload to the native library, leaving the payload as a lightweight program that simply intercepts notifications and covertly views web pages.

Kaspersky stated in its report that “all of the apps had been removed from the marketplace by the time our report was published but the malicious actors might have deployed other, as yet undiscovered, apps”.

About the Author

Husain Parvez is a Cybersecurity Researcher and News Writer at vpnMentor, focusing on VPN reviews, detailed how-to guides, and hands-on tutorials. Husain is also a part of the vpnMentor Cybersecurity News bulletin and loves covering the latest events in cyberspace and data privacy.