(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
A fake application on Google Play, claiming to allow users to view Netflix content from all over the world, was spreading malware through WhatsApp messages, according to researchers from Check Point Research.
Labelled “FlixOnline”, the application was designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.
This allowed hackers to distribute phishing attacks, spread false information and steal credentials and data from users’ WhatsApp accounts.
The malware lures the victims with the message, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [https://bit[.]ly/3bDmzUw]https://bit[.]ly/3bDmzUw.”
When a user downloads the fake application from the Play Store, the malware requests certain permissions for specific reasons. For instance, ‘Overlay’ lets the malicious application create new windows on top of other applications.
Check Point explained this is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s credentials.
Besides, ‘Ignore Battery Optimizations’ doesn’t let the malware shut down by the device’s battery optimization routine, even after it is idle for an extended period.
Lastly, ‘Notification access’ provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.
Once all permissions are granted, the malware displays a landing page it receives from the C&C server and immediately hides its icon so the malware can’t be easily removed.
Now, to distribute the payload, the malware cancels the notification to hide it from the user and reads the title and content of the notification received. It then searches for the component that is responsible for inline replies, which is used to send out the reply using the payload received from the C&C server.
Check Point Research notified Google about the malicious application, and Google has removed the application from the Play Store. Before the application was taken down, over the course of 2 months, “FlixOnline” was downloaded approximately 500 times.
Check Point suggested that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps. It also advised infected users to remove the application from their device and change their passwords.