The cybersecurity team, Check Point Research (CPR) has discovered a new form of malware in an app on Google Play Store.
This malware is hidden in a faux application, which is can be installed from the Play Store. The app named FlixOnline entices users by promising free “Netflix” subscriptions. Although the fraudulent app has been removed from the Play Store, the app had a whooping 500 downloads for a time of two months.
The application is designed to scan the user’s WhatsApp messages and to send automatic replies to the user’s incoming messages on WhatsApp with the help of a command and control (C&C) server. FlixOnline, also use intrusive permission to create a fake login interface, which helps the hackers to get their hands on user’s personal data. The data is then used to hide WhatsApp notifications and reply automatically.
According to the latest research, this malware can propagate further via malicious links, steals data from WhatsApp accounts, and can potentially spread false information and harmful content through Whatsapp messages and notifications when installed by users on Android devices.
The malware is very innovative and unusual. “I don’t remember reading and analyzing any Android malware having such functionality to spread itself via WhatsApp messages,” said Lukas Stefanko, a researcher from ESET. The technique here is to hijack the connection of Whatsapp by getting notifications, with the ability to predefine actions like “dismiss” or “reply” via a Notification Manager.
HOW DOES IT WORK?
Once users downloaded the app, the malware “listen in” on WhatsApp conversation and auto-replies. After the app has been installed, the app pops up a box for “Overlay”, “Notification” and “Battery Optimization Ignore” permission which is considered the most important part of the theft. The Overlay allows new windows to be opened so that fake login interfaces can steal important user data. The Notification permission allows attackers to view notifications related to user’s messages which also includes the “reply” and “dismiss” options. Lastly, Battery Optimization Ignore ensures that the malware keeps on running even if the device is not being used.
The pandemic has forced many of us to stay at home for a prolonged period, with shops shut, bars shut, and limited numbers of excursions available we have turned ourselves to streaming services. By the end of 2020, almost 200 million paid Netflix subscriptions has smashed and on that point, malware decided to jump on. Approximately 500 victims were affected throught the FlixOnline scam. CPR informed the Google Play store about this malware and it has been removed from the app but chances are that it might reappear.