A serious new warning for Android users, with new Play Store malware actively exploiting a “very dangerous” phone setting. Owners of smartphones—even secured Samsung, Google, Xiaomi and Huawei models, should check that this setting has not already been exploited on their phones. Here’s what you need to do today.
It’s a stupidly simple method of attack, and one that shouldn’t be possible—not in 2021, not on an Android phone carrying the latest firmware and security updates, and not through an install from the seemingly protected Play Store. But it was possible—it’s exactly what happened. A malicious app evading Google’s defences, automatically messaging a user’s contacts on WhatsApp, continually infecting as it did so.
This malware was caught exploiting a fairly well hidden Android setting—and this is the second such warning already this year. Suddenly you need to check that no apps have been granted permission to use this setting on your phone, other than system apps or those from highly trusted sources. You can find details on how to do this below.
According to the team at Check Point that discovered this latest threat, the malware “performs a range of malicious activities, including data and credential theft.” The team warns that this raises “some serious red flags” over Play Store’s protection, and that although this particular attack has been stopped, “the malware family is likely here to stay—the malware may return hidden in a different app.”
Last year, Check Point warned that Play Store’s security improvements “are not where we hoped they would be—Google is investing to battle malicious apps, but given the current state it’s not enough.” A year on and here we are again.
The specifics this time—a malicious Play Store app promising free access to Netflix, which then sends out messages promising the same—are less interesting than the attack vector. Once installed, the FlixOnline app intercepted WhatsApp notifications when a new message had been received, sending an automatic reply with a malicious link to a fake Netflix site that would phish for credentials and credit card details.
The serious vulnerability is Android’s “Notification Listening Service,” which can be enabled by a permission a newly installed app tricks users into granting, and which will allow the app to intercept and manipulate incoming messages. “It’s very rare to find a good use for this permission,” Check Point’s Aviran Hazum tells me, “for the most part, this is not a requested permission by legitimate apps.”
We saw the same vulnerability in January and there’s even a prescient warning from as far back as 2016. The difference here is that a malicious app was installed from the Play Store itself, rather than a third-party store, and that’s very bad news indeed. This “new and innovative malicious threat,” Check Point says, was stopped quickly after just a few hundred installs, but it should never have been enabled in the first place.
The attack vector is now very much public domain. It is suddenly very real—with two exploitations already this year. It will almost certainly now be used again and again, and you need to take steps to keep yourself protected.
This is one of the “two most commonly abused mechanisms in Android,” Hazum tells me, “mostly used for spying.” It can also be used to automatically push new infections, making it very dangerous to those who have been infected and their contacts, Hazum points out, explaining that the same vulnerability was used by the infamous Joker malware, “to grab the content of the verification SMS received by the Premium Service” which infected users had been subscribed to without their knowledge.
“It’s relatively easy to hijack a notification’s predefined actions,” Hazum warns, “if the app has the Notification Listener permission. Not just WhatsApp, but all apps. In this case, the actor hijacked notifications from WhatsApp, responding to messages with a link to a malicious APK, fake news, phishing campaigns, and so much more.”
Google removed the errant app from its Play Store following Check Point’s disclosure, telling me that this had been done quickly and after relatively few installs. But the vulnerability remains in place. WhatsApp was also approached for comment ahead of publication, albeit the messaging app is not at fault for this vulnerability.
This “abuse of a dangerous mechanism,” Hazum says, “this NotificationListener service, which allows an app access to all notifications and predefined actions on them,” is very likely to be repeated. As ever, now the vulnerability is in the public domain, and given the relative ease by which it can be exploited, it’s a very real threat.
If Android users want a good example of where iOS is doing a better job to protect its devices, then this seems like a fairly simple one. “Apple does not allow a single app to view all notifications,” Hazum says, “meaning that this type of attack would not have worked.” And so, while Android users should check their devices for FlixOnline, and delete the app if it’s found, they should also check their notification access setting.
You should check each app that has been given notification access permission, and my advice would be to limit this to trusted system apps—for example to enable do not disturb functionality or Android Auto. Put simply, I would strongly suggest you NEVER install an app from Play Store or anywhere else and allow it to access your notifications—that’s way more personal information and access than is healthy.
Life is rarely that simple, of course. Check Point warns that FlixOnline “does not state ‘Notification Listener’,” when it seeks user permission, “but opens the notification permission screen itself—only those who actually read the screen will see that.” But now you know how dangerous this permission is, you can keep an eye out for such tactics, and occasionally check the settings themselves.
This latest warning comes in two parts—and both should make sober reading for Android users. First, Play Store’s defences remain defeatable, a problem that just doesn’t seem to be resolvable. And, second, Android remains vulnerable to OS exploration through its flexibility, its looser restrictions than iOS.
Given the “very dangerous” potential that the NotificationListener service has, given that it has clearly been exploited in the wild, additional controls and restrictions should be added immediately. Users should not be left at risk from as simple an attack vector as this, not with the state of mobile malware as bad as it is.
There is another cautionary tale here as well, of course. Smartphone users—whether Android or iOS—should not click links or download attachments texted or messaged from anyone, even friends. A tiny fraction of smartphones carry security software to intercept and protect against such threats, it’s just not worth the risk.