A new Android malware was found on Google’s Play Store that is disguised as a Netflix tool designed to auto-spread to other devices using WhatsApp auto-replies to incoming messages.
The new malware which was discovered by researchers at Check Point Research (CPR) was disguised as an app named FlixOnline. It was trying to attract victims with the promise of free premium subscription to Netflix content.
CPR researchers responsibly disclosed their findings to Google and the tech giant immediately took it down and removed the malicious application from the Play Store.
The malicious FlixOnline app was downloaded by around 500 users within the two months it was available for download on the store.
When the app is installed on an Android device from the Play Store, the malware starts a service that requests overlay, battery optimization ignore, and notification permissions.
After the permissions are granted, the malware generates overlays over any app windows for credential theft purposes, block the device from shutting down its process to optimize energy consumption, gain access to app notifications, and manage or reply to messages.
It will then check for new WhatsApp notifications to auto-reply to all incoming messages using custom text payloads received from the command-and-control server and crafted by its operators.
According to Aviran Hazum, Manager of Mobile Intelligence at Check Point, the technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager.
The automatic responses observed in this campaign redirected the victims to a fake Netflix site that tried to collect their credentials and credit card information.
By using this malware, the attackers could perform malicious activities such as
- Spreading further malware via malicious links
- Stealing data from users’ WhatsApp accounts
- Spreading fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups)
- Extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts
The users should be aware of download links or attachments that they receive via WhatsApp or other messaging apps, even if it appears to come from trusted contacts or messaging groups.
Even though CPR stopped this one malware campaign, they suspect that the malware family identified might return in different apps on the Play Store.
Image Credits : Android Authority