Cybersecurity researchers have found new malware in a fake Netflix app that spreads by hijacking WhatsApp.
The FlixOnline Android app, advertised as a Netflix content enabler, works by taking over the victim’s WhatsApp account. From there, it distributes itself via autoreplies to incoming messages.
Hackers can use the malware to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts. They can also spread additional malicious payloads sent from a command and control server.
The threat was discovered by cybersecurity experts at Check Point Research (CPR). The malware was found available on the Google Play Store.
FlixOnline claims to offer users the ability to view Netflix content from all around the world.
Once installed, the application makes three requests from the user – for ‘Overlay’, ‘Battery Optimisation Ignore’, and ‘Notification’ permissions.
With an Overlay permission, the app creates new windows, like a fake login page, on top of other applications. Ignore Battery Optimisations stops the malware from being shut down by the device’s battery optimisation routine, even after it is idle for an extended period.
Finally, the Notification access enables the malware’s Notification Listener service. This lets the app intercept WhatsApp notifications so it can automatically reply to messages.
CPR warned that the fake Netflix app was downloaded approximately 500 times over a two-month period. After the company informed Google about the malware, Google removed the application from the Play Store.
“As the mobile threat landscape evolves, threat actors are always seeking to develop new techniques to evolve and successfully distribute malware,” CPR researchers Aviran Hazum, Bodgan Melnykov and Israel Wenik said in a company statement.
“This wormable Android malware features innovative and dangerous new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp.
“It highlights that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups.
The way WhatsApp uses data was the subject of recent controversy. An update that would have applied to all users, except in the UK and Europe, would have required the user to share WhatsApp data with Facebook, the messaging service’s owner.
While the messages themselves are encrypted, WhatsApp tracks a variety of user including name and phone numbers, contacts, the location of the user’s internet connection, as well as financial transactions made over the app.
As such, a malicious actor hijacking the app could have access to a variety of sensitive information. This could even lead to extortion attacks with a malicious actor sending sensitive data to all the user’s contacts.