Malware disguised as a Netflix app lurking on the Google Play store has been spreading through WhatsApp messages.
According to researchers, malware masquerading as an app called, ‘FlixOnline’, which advertised via WhatsApp messages promising, ‘2 Months of Netflix Premium Free Anywhere in the World for 60 days,’ – but once installed, the malware sets about stealing data and credentials.
The malware was designed to listen for incoming WhatsApp messages and automatically respond to any that the victims receive, with the content of the response crafted by the cyber criminals. The responses attempt to lure others with the offer of a free Netflix service, and contain links to a spoofed version of the streaming service’s website that phishes for credentials and credit card information.
Researchers said: “The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobile devices. However, instead of allowing the mobile user to view Netflix content, the application monitors a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.”
Over the course of the two months that the app was live on Google Play, the malware racked up 500 victims. Despite the app having been removed by Google, the malware family is likely here to stay and may return hidden in a different app, according to researchers. The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts and groups with links to the fake app. So, although the app cannot reach any new victims, it might be that the 500 already impacted could be sharing the malware inadvertently.
The malware’s technique is fairly new and innovative, which led to it being able to be disguised so easily and bypass the Google Play Store’s protection, raises some serious red flags. Once the application is downloaded from the Play Store and installed, it requests three specific permissions, Overlay, Battery Optimization Ignore and Notification Listener. This allowed it to carry out the nefarious activity described earlier on.
After permissions are granted, the malware displays a landing page it receives from the command-and-control server (C2), and it deletes its icon off the home screen, before periodically pinging the C2 for configuration updates. When it comes to the WhatsApp messages, the malware uses a function called OnNotificationPosted to check for the package name of the application creating a given notification. If the application is WhatsApp, the malware will ‘process’ the notification, which consists of cancelling the notification, hiding it from the user in the process, before reading the title and content of the notification received.
This isn’t the first app from the official Android app store that has contained malware or trojans. In March 2021, for instance, nine malicious apps were discovered on Google Play, harbouring a malware dropper that paves the way for attackers to remotely steal financial data from Android phones. And in January, Google removed 164 apps which were downloaded a total of 10 million times, as they were delivering disruptive ads.
Neuways advises users to be wary of any download links or attachments received via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups, as these contacts could’ve been affected by a malicious Android app. Then, if users find themselves with a fake app installed on their device, they should immediately remove the suspect application from the device and change all passwords.