Wormable Android malware is spreading through WhatsApp messages
Researchers found the malware hidden in an app pretending to be Netflix on the Google Play store
A new type of Android malware has been discovered in an app on Google Play that can spread itself using fake WhatsApp messages.
Check Point Research made the discovery and found that if a user downloaded the fake application and gave it the appropriate permissions, the malware would be capable of automatically replying to the victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.
“This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more,” stated the cyber security researchers.
The malware could send further malicious content via automated replies to incoming WhatsApp messages.
The researchers found the malware hidden in an app called “FlixOnline” which is a fake service that claims to allow users to view Netflix content from around the world on their mobile.
“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server,” stated CPR.
The malware sends this message to its victims, and lures them with an offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”
Check Point said that with this technique, a threat actor could carry out a wide range of malicious activities including spreading further malware, stealing data from users’ WhatsApp accounts and extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.
When the app is downloaded and installed, it requests permissions for “Overlay”, “Battery Optimization Ignore” and “Notifications”.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Overlay allows the app to create new windows on top of other applications, usually requested to create a fake “login” screen for other apps in order to steal the victim’s credentials. The Battery Optimization permission stops the malware from being shut down by the device’s battery optimization routine. Lastly, while Notification access allows the malware to access all notifications related to messages sent to the device and grants the ability to automatically “dismiss” and “reply” to the messages.
Once Check Point had discovered the malware, it reported it to Google who quickly removed the application from the Play Store. “Over the course of two months, the “FlixOnline” app was downloaded approximately 500 times,” said CPR.
Malware is also spreading on other platforms, including LinkedIn where the Golden Chicken hacking group is targeting its users with fake job offers to infect them with a malware strain that granted them access to victims' computers.
Unlocking collaboration: Making software work better together
How to improve collaboration and agility with the right techDownload now
Four steps to field service excellence
How to thrive in the experience economyDownload now
Six things a developer should know about Postgres
Why enterprises are choosing PostgreSQLDownload now
The path to CX excellence for B2B services
The four stages to thrive in the experience economyDownload now