By sending messages offering free Netflix Premium for 60 days, the wormable malware spread from Android to Android.
Researchers discovered malware disguised as a Netflix app on the Google Play store that spread through WhatsApp messages.
According to a Check Point Research review published on Wednesday, the malware pretended to be an app called “FlixOnline,” which advertised “2 Months of Netflix Premium Free Anywhere in the World for 60 Days” through WhatsApp messages. When installed, however, the malware immediately begins stealing data and credentials.
The malware was created to listen for incoming WhatsApp messages and react automatically to any that the victims receive, with the content of the response crafted by the attackers. According to researchers, the responses attempted to entice others with the promise of a free Netflix subscription and included links to a fake Netflix site that phished for credentials and credit card details.
According to the study, “the app turned out to be a fake service that claims to enable users to watch Netflix content from around the world on their mobile devices.” “However, rather than allowing a smartphone user to access Netflix content, the software is designed to track a user’s WhatsApp updates, sending automated responses to incoming messages using content received from a remote server.”
The malware could also spread itself by sending messages with links to the fake app to users’ WhatsApp contacts and groups. “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days,” the automated messages read. [Bitly link] to get it right now.”
According to Check Point, the malware racked up 500 victims in the two months it was available on Google Play. Google was notified of the malware, and the programme was taken down as a result. Researchers cautioned that “the malware family is definitely here to stay and could return hidden in a different app.”
The malware’s strategy is “relatively fresh and groundbreaking,” according to Aviran Hazum, Check Point’s manager of Mobile Intelligence. “The strategy here is to hijack the WhatsApp link by catching alerts, as well as the ability to take predefined actions through the Notification Manager, such as ‘dismiss’ or ‘reply.’ The ease with which the malware may be disguised and eventually circumvent the Play Store’s defences raises some major red flags.”
WhatsApp Notifications are intercepted by FlixOnline.
According to the Check Point review, once the software is downloaded and installed, it demands three separate permissions: Overlay, Battery Optimization Ignore, and Notification Listener.
According to the researchers, overlay enables a malicious programme to build new windows on top of other applications.
“Malware usually requests this to create a bogus log-in screen for other apps in order to steal the victim’s credentials,” they clarified.
Meanwhile, the Ignore Battery Optimizations permission prevents the malware from being turned off while the phone is in standby mode, as most Android apps do to conserve battery power. This enabled the “FlixOnline” app to run in the background, listening and sending fake messages even when the phone was turned off.
The Notification Listener permission, according to Check Point, gives the malware access to all notifications related to messages sent to the device, as well as the ability to “automatically perform specified actions such as “dismiss” and “reply” to messages received on the device.”
The malware then shows a landing page it received from the command-and-control server (C2) and deletes its icon from the home screen after the permissions are issued. It then pings the C2 for configuration updates on a regular basis.
According to the report, “the service can achieve these objectives by using a variety of methods.” “For example, an alarm registered as the BOOT COMPLETED action, which is called after the system has completed the boot phase, may activate the service.”
When decoding WhatsApp messages, the malware checks for the package name of the application that created the notification using a feature called OnNotificationPosted. According to Check Point, if that programme is WhatsApp, the malware would “process” the notification. This entails cancelling the notification (to conceal it from the user) and then reading the notification’s title and text.
“Next, it looks for the part that handles inline responses, which is used to send the reply using the payload obtained from the C2 server,” the researchers explained.
Apps with Malware on Google Play
Malicious and trojanized applications are sadly not uncommon in the official Android app store. Nine malicious apps were discovered on Google Play in March, each containing a malware dropper that allows attackers to remotely steal financial data from Android phones. In January, Google removed 164 applications that had been downloaded a total of 10 million times because they were displaying intrusive advertisements.
Meanwhile, the Joker malware was already wreaking havoc on Google Play apps last year. Joker is a mobile trojan that specialises in a form of billing fraud known as “fleeceware.” It has been around since 2017. The Joker apps present themselves as genuine applications (like games, wallpapers, messengers, translators and photo editors, mainly). If installed, they imitate clicks and intercept SMS messages in order to trick victims into paying for premium services they don’t want. SMS texts, contact lists, and device details are also stolen by the apps.
What Can Android Users Do to Protect Their Devices?
Users should be cautious of download links or attachments obtained via WhatsApp or other messaging apps, even if they seem to come from trusted contacts or messaging groups, according to Check Point.
If a user discovers a fake app on their account, they should delete it immediately and change all passwords.