Skip to ContentSkip to Footer
News

Wormable Android malware is spreading through WhatsApp

The new strain poses as a Huawei app which users are tricked into downloading from a fake Google Play Store link

by: Keumars Afifi-Sabet
25 Jan 2021
An anonymous mobile phone user using their device in a darkened room

Shutterstock

Android users are being warned against a wormable strain of malware that spreads itself by automatically replying to victims' WhatsApp messages with a malicious link.

The link this Android malware spreads through WhatsApp connects its victims with a convincing web page resembling Google’s Play Store, and a request to install a fake ‘Huawei Mobile’ app onto a user’s device.

This is according to ESET security researcher Lukas Stefanko, who published a short analysis of the malware’s mechanisms.

Should users install and activate the malicious app, it’ll immediately ask for various permissions to perform its key functions, including access to contacts and permission to draw over other apps. This latter feature means it can run in the background while other apps are in use on the victim’s device. 

Users are also presented with a request to ignore battery optimisation, which if activated, means the app cannot be killed by the system if spare resources are needed.

Finally, the malicious app demands access to notifications, specifically WhatsApp notifications, so it can scan for incoming messages and distribute further among contacts.

Once all the permissions are guaranteed and the malicious app is set up, it runs in the background and waits for instructions from the command and control server, as well as incoming WhatsApp messages so it can spread. 

When messages are received through WhatsApp, the malware scans for these and automatically sends a reply on the user’s behalf which includes the malicious link. This is accompanied with a message asking the contact to visit the fabricated Play Store page and download the fake Huawei app.

Stefano also examined the malware to show that it surreptitiously only messages the malicious link to one contact once per hour. This is in order for the app not to arouse suspicions and remain in operation for as long as possible before detection and removal.

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Weakness in Mamba ransomware could help recover data
ransomware

Weakness in Mamba ransomware could help recover data

26 Mar 2021
Invoice ZLoader campaign hides within encrypted Excel docs
malware

Invoice ZLoader campaign hides within encrypted Excel docs

8 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget
Mobile Phones

Xiaomi Redmi Note 10 Pro review: Champagne tastes on a lemonade budget

13 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021
Skip to HeaderSkip to Content