Wormable Android malware is spreading through WhatsApp messages

Malware on a phone
(Image credit: Shutterstock)

A new type of Android malware has been discovered in an app on Google Play that can spread itself using fake WhatsApp messages.

Check Point Research made the discovery and found that if a user downloaded the fake application and gave it the appropriate permissions, the malware would be capable of automatically replying to the victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.

“This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more,” stated the cyber security researchers.

The malware could send further malicious content via automated replies to incoming WhatsApp messages.

The researchers found the malware hidden in an app called “FlixOnline” which is a fake service that claims to allow users to view Netflix content from around the world on their mobile.

Flix Online Malware pretending to be Netflix

(Image credit: Check Point Research)

“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server,” stated CPR.

The malware sends this message to its victims, and lures them with an offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”

Check Point said that with this technique, a threat actor could carry out a wide range of malicious activities including spreading further malware, stealing data from users’ WhatsApp accounts and extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.

When the app is downloaded and installed, it requests permissions for “Overlay”, “Battery Optimization Ignore” and “Notifications”.


Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation


Overlay allows the app to create new windows on top of other applications, usually requested to create a fake “login” screen for other apps in order to steal the victim’s credentials. The Battery Optimization permission stops the malware from being shut down by the device’s battery optimization routine. Lastly, while Notification access allows the malware to access all notifications related to messages sent to the device and grants the ability to automatically “dismiss” and “reply” to the messages.

Once Check Point had discovered the malware, it reported it to Google who quickly removed the application from the Play Store. “Over the course of two months, the “FlixOnline” app was downloaded approximately 500 times,” said CPR.

Malware is also spreading on other platforms, including LinkedIn where the Golden Chicken hacking group is targeting its users with fake job offers to infect them with a malware strain that granted them access to victims' computers.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.