Wormable Android malware is spreading through WhatsApp messages

Researchers found the malware hidden in an app pretending to be Netflix on the Google Play store

A new type of Android malware has been discovered in an app on Google Play that can spread itself using fake WhatsApp messages.

Check Point Research made the discovery and found that if a user downloaded the fake application and gave it the appropriate permissions, the malware would be capable of automatically replying to the victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.

“This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more,” stated the cyber security researchers.

The malware could send further malicious content via automated replies to incoming WhatsApp messages.

The researchers found the malware hidden in an app called “FlixOnline” which is a fake service that claims to allow users to view Netflix content from around the world on their mobile.

Flix Online Malware pretending to be Netflix

“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server,” stated CPR.

The malware sends this message to its victims, and lures them with an offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”

Check Point said that with this technique, a threat actor could carry out a wide range of malicious activities including spreading further malware, stealing data from users’ WhatsApp accounts and extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.

When the app is downloaded and installed, it requests permissions for “Overlay”, “Battery Optimization Ignore” and “Notifications”. 

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Overlay allows the app to create new windows on top of other applications, usually requested to create a fake “login” screen for other apps in order to steal the victim’s credentials. The Battery Optimization permission stops the malware from being shut down by the device’s battery optimization routine. Lastly, while Notification access allows the malware to access all notifications related to messages sent to the device and grants the ability to automatically “dismiss” and “reply” to the messages.

Once Check Point had discovered the malware, it reported it to Google who quickly removed the application from the Play Store. “Over the course of two months, the “FlixOnline” app was downloaded approximately 500 times,” said CPR.

Malware is also spreading on other platforms, including LinkedIn where the Golden Chicken hacking group is targeting its users with fake job offers to infect them with a malware strain that granted them access to victims' computers.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021