Wormable Android malware is spreading through WhatsApp messages

Researchers found the malware hidden in an app pretending to be Netflix on the Google Play store

A new type of Android malware has been discovered in an app on Google Play that can spread itself using fake WhatsApp messages.

Check Point Research made the discovery and found that if a user downloaded the fake application and gave it the appropriate permissions, the malware would be capable of automatically replying to the victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.

“This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more,” stated the cyber security researchers.

The malware could send further malicious content via automated replies to incoming WhatsApp messages.

The researchers found the malware hidden in an app called “FlixOnline” which is a fake service that claims to allow users to view Netflix content from around the world on their mobile.

Flix Online Malware pretending to be Netflix

“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server,” stated CPR.

The malware sends this message to its victims, and lures them with an offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”

Check Point said that with this technique, a threat actor could carry out a wide range of malicious activities including spreading further malware, stealing data from users’ WhatsApp accounts and extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.

When the app is downloaded and installed, it requests permissions for “Overlay”, “Battery Optimization Ignore” and “Notifications”. 

Related Resource

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

How to manage security risk and compliance - whitepaperDownload now

Overlay allows the app to create new windows on top of other applications, usually requested to create a fake “login” screen for other apps in order to steal the victim’s credentials. The Battery Optimization permission stops the malware from being shut down by the device’s battery optimization routine. Lastly, while Notification access allows the malware to access all notifications related to messages sent to the device and grants the ability to automatically “dismiss” and “reply” to the messages.

Once Check Point had discovered the malware, it reported it to Google who quickly removed the application from the Play Store. “Over the course of two months, the “FlixOnline” app was downloaded approximately 500 times,” said CPR.

Malware is also spreading on other platforms, including LinkedIn where the Golden Chicken hacking group is targeting its users with fake job offers to infect them with a malware strain that granted them access to victims' computers.

Featured Resources

Next-generation time series: Forecasting for the real world, not the ideal world

Solve time series problems with AI

Free download

The future of productivity

Driving your business forward with Microsoft Office 365

Free download

How to plan for endpoint security against ever-evolving cyber threats

Safeguard your devices, data, and reputation

Free download

A quantitative comparison of UPS monitoring and servicing approaches across edge environments

Effective UPS fleet management

Free download

Recommended

Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Royal Mint to recover gold from smartphones and laptops in world first
Technology

Royal Mint to recover gold from smartphones and laptops in world first

21 Oct 2021