# Not quite an Easter egg: a new family of Trojan subscribers on Google Play **[securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/](https://securelist.com/fleckpe-a-new-family-of-trojan-subscribers-on-google-play/109643/)** Authors Dmitry Kalinin Every once in a while, someone will come across malicious apps on Google Play that seem harmless at first. Some of the trickiest of these are subscription Trojans, which often go unnoticed until the user finds they have been charged for services they never intended to buy. This kind of malware often finds its way into the official marketplace for Android apps. The [Jocker family and the recently discovered Harly family are just two examples of this. Our](https://securelist.com/mobile-subscription-trojans-and-their-tricks/106412/) latest discovery, which we call “Fleckpe”, also spreads via Google Play as part of photo editing apps, smartphone wallpaper packs and so on. ## Fleckpe technical description Our data suggests that the Trojan has been active since 2022. We have found eleven Fleckpe-infected apps on Google Play, which have been installed on more than 620,000 devices. All of the apps had been removed from the marketplace by the time our report was ----- published but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher. ----- And here is a description of Fleckpe’s modus operandi. When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets. **_Malicious library loading_** The payload contacts the threat actors’ C&C server, sending information about the infected device, such as the MCC (Mobile Country Code) and MNC (Mobile Network Code), which can be used to identify the victim’s country and carrier. The C&C server returns a paid subscription page. The Trojan opens the page in an invisible web browser and attempts to subscribe on the user’s behalf. If this requires a confirmation code, the malware gets it from notifications (access to which was asked at the first run). ----- **_Intercepting notifications_** Having found the code, the Trojan enters it in the appropriate field and completes the subscription process. The victim proceeds to use the app’s legitimate functionality, for example, installs wallpapers or edits photos, unaware of the fact that they are being subscribed to a paid service. ----- **_Entering the confirmation code_** The Trojan keeps evolving. In recent versions, its creators upgraded the native library by moving most of the subscription code there. The payload now only intercepts notifications and views web pages, acting as a bridge between the native code and the Android components required for purchasing a subscription. This was done to significantly complicate analysis and make the malware difficult to detect with the security tools. Unlike the native library, the payload has next to no evasion capabilities, although the malicious actors did add some code obfuscation to the latest version. ----- **_Core logic inside the native method_** ### Victims We found that the Trojan contained hard-coded Thai MCC and MNC values, apparently used for testing. Thai-speaking users notably dominated the reviews for the infected apps on Google Play. This led us to believe that this particular malware targeted users from Thailand, although our telemetry showed that there had been victims in Poland, Malaysia, Indonesia and Singapore. **_The Thai test MCC and MNC values_** ----- Kaspersky security products detect the malicious app as Trojan.AndroidOS.Fleckpe. ## Conclusion Sadly, subscription Trojans have only gained popularity with scammers lately. Their operators have increasingly turned to official marketplaces like Google Play to spread their malware. Growing complexity of the Trojans has allowed them to successfully bypass many antimalware checks implemented by the marketplaces, remaining undetected for long periods of time. Affected users often fail to discover the unwanted subscriptions right away, let alone find out how they happened in the first place. All this makes subscription Trojans a reliable source of illegal income in the eyes of cybercriminals. To avoid malware infection and subsequent financial loss, we recommend to be cautious with apps, even those coming from Google Play, avoid giving permissions they should not have, and install an antivirus product capable of detecting this type of Trojans. ## IOCs **Package names** com.impressionism.prozs.app com.picture.pictureframe com.beauty.slimming.pro com.beauty.camera.plus.photoeditor com.microclip.vodeoeditor com.gif.camera.editor com.apps.camera.photos com.toolbox.photoeditor com.hd.h4ks.wallpaper com.draw.graffiti com.urox.opixe.nightcamreapro **MD5** [F671A685FC47B83488871AE41A52BF4C](https://opentip.kaspersky.com/F671A685FC47B83488871AE41A52BF4C/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [5CE7D0A72B1BD805C79C5FE3A48E66C2](https://opentip.kaspersky.com/5CE7D0A72B1BD805C79C5FE3A48E66C2/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [D39B472B0974DF19E5EFBDA4C629E4D5](https://opentip.kaspersky.com/D39B472B0974DF19E5EFBDA4C629E4D5/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [175C59C0F9FAB032DDE32C7D5BEEDE11](https://opentip.kaspersky.com/175C59C0F9FAB032DDE32C7D5BEEDE11/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [101500CD421566690744558AF3F0B8CC](https://opentip.kaspersky.com/101500CD421566690744558AF3F0B8CC/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [7F391B24D83CEE69672618105F8167E1](https://opentip.kaspersky.com/7F391B24D83CEE69672618105F8167E1/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [F3ECF39BB0296AC37C7F35EE4C6EDDBC](https://opentip.kaspersky.com/F3ECF39BB0296AC37C7F35EE4C6EDDBC/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [E92FF47D733E2E964106EDC06F6B758A](https://opentip.kaspersky.com/E92FF47D733E2E964106EDC06F6B758A/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [B66D77370F522C6D640C54DA2D11735E](https://opentip.kaspersky.com/B66D77370F522C6D640C54DA2D11735E/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [3D0A18503C4EF830E2D3FBE43ECBE811](https://opentip.kaspersky.com/3D0A18503C4EF830E2D3FBE43ECBE811/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [1879C233599E7F2634EF8D5041001D40](https://opentip.kaspersky.com/1879C233599E7F2634EF8D5041001D40/?utm_source=SL&utm_medium=SL&utm_campaign=SL) ----- [C5DD2EA5B1A292129D4ECFBEB09343C4](https://opentip.kaspersky.com/C5DD2EA5B1A292129D4ECFBEB09343C4/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [DD16BD0CB8F30B2F6DAAC91AF4D350BE](https://opentip.kaspersky.com/DD16BD0CB8F30B2F6DAAC91AF4D350BE/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [2B6B1F7B220C69D37A413B0C448AA56A](https://opentip.kaspersky.com/2B6B1F7B220C69D37A413B0C448AA56A/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [AA1CEC619BF65972D220904130AED3D9](https://opentip.kaspersky.com/AA1CEC619BF65972D220904130AED3D9/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [0BEEC878FF2645778472B97C1F8B4113](https://opentip.kaspersky.com/0BEEC878FF2645778472B97C1F8B4113/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [40C451061507D996C0AB8A233BD99FF8](https://opentip.kaspersky.com/40C451061507D996C0AB8A233BD99FF8/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [37162C08587F5C3009AFCEEC3EFA43EB](https://opentip.kaspersky.com/37162C08587F5C3009AFCEEC3EFA43EB/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [BDBBF20B3866C781F7F9D4F1C2B5F2D3](https://opentip.kaspersky.com/BDBBF20B3866C781F7F9D4F1C2B5F2D3/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [063093EB8F8748C126A6AD3E31C9E6FE](https://opentip.kaspersky.com/063093EB8F8748C126A6AD3E31C9E6FE/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [8095C11E404A3E701E13A6220D0623B9](https://opentip.kaspersky.com/8095C11E404A3E701E13A6220D0623B9/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [ECDC4606901ABD9BB0B160197EFE39B7](https://opentip.kaspersky.com/ECDC4606901ABD9BB0B160197EFE39B7/?utm_source=SL&utm_medium=SL&utm_campaign=SL) **C&C** [hxxp://ac.iprocam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fac.iprocam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ad.iprocam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fad.iprocam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ap.iprocam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fap.iprocam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://b7.photoeffect[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fb7.photoeffect.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ba3.photoeffect[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fba3.photoeffect.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://f0.photoeffect[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ff0.photoeffect.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://m11.slimedit[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fm11.slimedit.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://m12.slimedit[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fm12.slimedit.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://m13.slimedit[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fm13.slimedit.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ba.beautycam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fba.beautycam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://f6.beautycam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ff6.beautycam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://f8a.beautycam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ff8a.beautycam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ae.mveditor[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fae.mveditor.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://b8c.mveditor[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fb8c.mveditor.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://d3.mveditor[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fd3.mveditor.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://fa.gifcam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ffa.gifcam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://fb.gifcam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ffb.gifcam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://fl.gifcam[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ffl.gifcam.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://a.hdmodecam[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fa.hdmodecam.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://b.hdmodecam[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fb.hdmodecam.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://l.hdmodecam[.]live](https://opentip.kaspersky.com/http%3A%2F%2Fl.hdmodecam.live/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://vd.toobox[.]online](https://opentip.kaspersky.com/http%3A%2F%2Fvd.toobox.online/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://ve.toobox[.]online](https://opentip.kaspersky.com/http%3A%2F%2Fve.toobox.online/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://vt.toobox[.]online](https://opentip.kaspersky.com/http%3A%2F%2Fvt.toobox.online/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://54.245.21[.]104](https://opentip.kaspersky.com/http%3A%2F%2F54.245.21.104/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://t1.twmills[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ft1.twmills.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://t2.twmills[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ft2.twmills.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://t3.twmills[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ft3.twmills.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) ----- [hxxp://api.odskguo[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fapi.odskguo.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://gbcf.odskguo[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Fgbcf.odskguo.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [hxxp://track.odskguo[.]xyz](https://opentip.kaspersky.com/http%3A%2F%2Ftrack.odskguo.xyz/?utm_source=SL&utm_medium=SL&utm_campaign=SL) [Google Android](https://securelist.com/tag/google-android/) [Malware Descriptions](https://securelist.com/tag/malware-descriptions/) [Malware Technologies](https://securelist.com/tag/malware-technologies/) [Mobile Malware](https://securelist.com/tag/mobile-malware/) [Trojan](https://securelist.com/tag/trojan/) Authors Dmitry Kalinin Not quite an Easter egg: a new family of Trojan subscribers on Google Play Your email address will not be published. Required fields are marked * -----