Researchers at Check Point Research (CPR) discovered Android malware distributed via Google Play Store as a Netflix app. The app uses WhatsApp auto-replies to incoming messages to auto-spread to other devices. It was downloaded about 500 times in the two months that it was available in the store.
FlixOnline, the fake Android app, tries to lure potential victims with claims about free access to Netflix.
Once the user installs the mobile app, the malware immediately requests raised permissions: showing over other apps, circumventing battery optimization, and showing notifications.
This allows the malware to show overlay windows for stealing credentials, prevent the device’s battery optimization from shutting down its background process so that the app can monitor incoming messages continuously, access to app notifications to catch a new message, and manage and reply to messages.
The app’s main activity is monitoring for new WhatsApp messages. When the user receives a new message FlixOnline can auto-reply to it using custom texts crafted by its operators which are loaded via the command-and-control server.
“The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager,” said Aviran Hazum, Manager of Mobile Intelligence at Check Point.
The malware can allow the attackers to perform various malicious activities, including dropping additional malware via malicious links, extortion campaigns threatening to publicly reveal sensitive WhatsApp conversations or data, stealing data from users’ WhatsApp accounts, and more.
It is unknown how app developers managed to get their app on Play Store, but the fact they managed to do so is very concerning, researchers say:
“The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”
CPR researchers said the automatic responses in this campaign redirected the users to a web page that resembles a Netflix’s site. The page contains forms that harvest user credentials and credit card information.
CPR discretely disclosed its findings to Google and the company has already removed the fake application from the Play Store.