A new type of Android malware has been discovered in an app on Google Play that can spread itself using fake WhatsApp messages.
Check Point Research made the discovery and found that if a user downloaded the fake application and gave it the appropriate permissions, the malware would be capable of automatically replying to the victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.
“This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more,” stated the cyber security researchers.
The malware could send further malicious content via automated replies to incoming WhatsApp messages.
The researchers found the malware hidden in an app called “FlixOnline” which is a fake service that claims to allow users to view Netflix content from around the world on their mobile.
“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server,” stated CPR.
The malware sends this message to its victims, and lures them with an offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”
Check Point said that with this technique, a threat actor could carry out a wide range of malicious activities including spreading further malware, stealing data from users’ WhatsApp accounts and extorting users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.
When the app is downloaded and installed, it requests permissions for “Overlay”, “Battery Optimization Ignore” and “Notifications”.
Overlay allows the app to create new windows on top of other applications, usually requested to create a fake “login” screen for other apps in order to steal the victim’s credentials. The Battery Optimization permission stops the malware from being shut down by the device’s battery optimization routine. Lastly, while Notification access allows the malware to access all notifications related to messages sent to the device and grants the ability to automatically “dismiss” and “reply” to the messages.
Once Check Point had discovered the malware, it reported it to Google who quickly removed the application from the Play Store. “Over the course of two months, the “FlixOnline” app was downloaded approximately 500 times,” said CPR.
Malware is also spreading on other platforms, including LinkedIn where the Golden Chicken hacking group is targeting its users with fake job offers to infect them with a malware strain that granted them access to victims’ computers.
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisation
Security best practices for PostgreSQL
Securing data with PostgreSQL
Transform your MSP business into a money-making machine
Benefits and challenges of a recurring revenue model
The care and feeding of cloud
How to support cloud infrastructure post-migration