New Fleckpe Android malware installed 600K times on Google Play

Android malware

A new Android subscription malware named ‘Fleckpe’ has been spotted on Google Play, the official Android app store, disguised as legitimate apps downloaded over 620,000 times.

Kaspersky reveals that Fleckpe is the newest addition to the realm of malware that generates unauthorized charges by subscribing users to premium services, joining the ranks of other malicious Android malware, such as Jocker and Harly.

Threat actors make money from unauthorized subscriptions by receiving a share of the monthly or one-time subscription fees generated through the premium services. When the threat actors operate the services, they keep the entire revenue.

Kaspersky’s data suggests that the trojan has been active since last year but was only recently discovered and documented.

Most victims of Fleckpe reside in Thailand, Malaysia, Indonesia, Singapore, and Poland, but a smaller number of infections are to be found across the globe.

Kaspersky discovered 11 Fleckpe trojan apps impersonating image editors, photo libraries, premium wallpapers, and more on Google Play, distributed under the following names:

  • com.picture.pictureframe
  • com.microclip.vodeoeditor
  • com.toolbox.photoeditor
  • com.hd.h4ks.wallpaper
  • com.draw.graffiti
  • com.urox.opixe.nightcamreapro

“All of the apps had been removed from the marketplace by the time our report was published, but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher.” explains Kaspersky in its report.

Android users who have previously installed the apps listed above are advised to remove them immediately and run an AV scan to uproot any remnants of malicious code still hidden in the device.

Malicious trojan app on Google PlayFleckpe trojan app on Google Play (Kaspersky)

Subscribing you in the background

Upon installation, the malicious app requests access to notification content required to capture subscription confirmation codes on many premium services.

When a Fleckpe app launches, it decodes a hidden payload that contains malicious code, which is then executed.

This payload is responsible for contacting the threat actor’s command and control (C2) server to send basic information about the newly infected device, including the MCC (Mobile Country Code) and MNC (Mobile Network Code).

The C2 responds with a website address which the trojan opens in an invisible web browser window and subscribes the victim to a premium service.

If a confirmation code needs to be entered, the malware will retrieve it from the device’s notifications and submit it on the hidden screen to finalize the subscription.

The app’s foreground still offers victims the promised functionality, hiding their real purpose and reducing the likelihood of raising suspicions.

In the latest versions of Fleckpe analyzed by Kaspersky, developers have shifted most of the subscription code from the payload to the native library, leaving the payload responsible for intercepting notifications and displaying web pages.

Intercepting notification contentIntercepting notification content (Kaspersky)

Additionally, a layer of obfuscation has been incorporated into the most recent payload version.

Kaspersky believes the malware’s creators implemented these modifications to increase Fleckpe’s evasiveness and make it more challenging to analyze.

While not as dangerous as spyware or data-stealing malware, subscription trojans can still incur unauthorized charges, collect sensitive information about the user of the infected device, nd potentially serve as entry points for more potent payloads.

To protect against these threats, Android users are advised to only download apps from trusted sources and developers and pay attention to the requested permissions during installation.


  • Mahhn Photo Mahhn – 3 days ago

    I applaud Kaspersky staying on top of their game and not being abused by…
    Google, maybe you should build some kind of AI that would be able to check that only approved malware gets deployed from your stores. (jab jab cross)

  • xdaDeveloper-Viva Photo xdaDeveloper-Viva – 2 days ago

    I respect this site for its undaunting motivation in keeping Android device users up to date on the latest security vulnerabilities and malicious threats. I would like to note that malware is a highly misunderstood topic regarding Android mobile devices. Since the birth of Android in 2008, up until the present day, with an estimated 3 billion + active Android devices in use worldwide, there has never been a single confirmed instance of a traditional virus infecting an Android device. By “infecting,” I am referring to the Android system – core directory – being infiltrated by malicious code. As it stands, malware can only make its way onto a device by one means — installing a malicious app. Even then (and not to downplay the havoc malware can cause in terms of security), the malicious code can only exist on allocated user storage space. By uninstalling the malicious app and deleting all related app data, the threat is fully eradicated. Thanks to SELinux kernel safeguards and application sandboxing, the malicious code cannot infiltrate the system barrier and truly “infect” the device — at least not to date. Most developers agree — myself included — that such a scenario is possible only in theory. Of course, I am referring to the default norm — a device not modified from its stock configuration in any way. Hopefully, and despite the seriousness of mobile malware, infected devices will never be a reality.

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.27 4M+ Downloads

  • AdwCleaner Logo


    Version: 56M+ Downloads

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 22,826 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 53,813 Downloads


Related posts

Microsoft: Business email compromise attacks can take just hours

Sarah Henriquez

Emotet malware now distributed in Microsoft OneNote files to evade defenses

Sarah Henriquez

Ransomware attack halts circulation of some German newspapers

Sarah Henriquez

Leave a Comment