Disguised as a Netflix content enabler, an app named ’FlixOnline’ has been distributing Android malware via malicious auto-replies to incoming WhatsApp messages.
DISGUISED as a Netflix content enabler, an app named ’FlixOnline’ has been distributing Android malware via malicious auto-replies to incoming WhatsApp messages.
Check Point Research (CPR) discovered a new and innovative malicious threat on the Google Play app store which spreads itself via mobile users’ WhatsApp conversations and can also send further malicious content via automated replies to incoming WhatsApp messages.
Researchers found the malware hidden within an app on Google Play called ’FlixOnline’.
The app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles – and we all know how much we love the idea of that.
However, instead of allowing the user to view Netflix content, the app monitors the user’s WhatsApp notifications and sends automatic replies to the user’s incoming messages using content that it receives from what is called a remote command and control (C&C) server.
By replying to incoming WhatsApp messages with a payload from a C&C server, this method enables the hacker to distribute phishing attacks, spread further malware, or spread false information or steal credentials and data from users’ WhatsApp account and conversations.
The malware sends the following response to its victims, luring them with the offer of a free Netflix service:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”
Once this is clicked on or replied to, the threat actor is able to spread further malware via malicious links, steal data from users’ WhatsApp accounts, and spread fake or malicious messages to users’ WhatsApp contacts and groups
How the malware works
When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. This is what those permissions mean:
– Overlay allows a malicious application to create new windows on top of other applications.
This is requested by malware to create a fake “Login” screen for other apps, in a bid to steal victim’s credentials.
– Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period.
– Notification access in this case is a Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.
Once these permissions are granted, the malware then has absolutely everything it needs to start distributing its malicious payloads and even responding to incoming WhatsApp messages with auto-generated replies.
Through these auto-generated replies, a hacker can not only steal data but also cause trouble on work-related chat groups. It can also result in extortion.
Google has removed the application from the Play Store, but the damage has been done to a number of users. Over the course of two months, the FlixOnline app was downloaded approximately 500 times.
To protect yourself against mobile malware, it is important to do regular OS updates. This is to protect against the exploitation of privilege escalation vulnerabilities.
Also, make sure to install apps from official app stores that are approved.
If your phone has it, enable ‘remote wipe’ capability. This will minimise the probability of loss of sensitive data.