New malicious malware for Android has been discovered on the Google Play Store. The malware was disguised as a Netflix content-enabling application called “FlixOnline”. The malware spreads via malicious automatic responses to WhatsApp messages sent to the user. The payloads of malware are received from a command and remote control server.
Check Point security researchers say the new and innovative threat could send more malicious content through automated responses to messages received from WhatsApp. Hackers can use the malware to distribute phishing attacks, spread additional malware, spread false information, or steal credentials and data from WhatsApp accounts and conversations. The app is masquerading as a service that allows users to view Netflix content from around the world on mobile devices.
Instead of doing what it promises, the malware monitors the user’s WhatsApp notifications to send automatic responses and receive content from its control servers. The malware message sent to victims via automated responses gives users two months of free premium content from Netflix at no cost anywhere in the world.
Check Point researchers say that when the app is downloaded and installed on Android devices, it starts a service that requests “Overlay”, “Battery Optimization Ignore” and “Notification” permissions. After obtaining these permissions, the malicious application is able to create new windows on top of other applications, which are usually fake login screens for other applications to steal credentials.
Ignoring battery optimizations prevents malware from being turned off by the battery optimization routine inside the device, even when idle. Notification access allows the malware to access all notifications related to messages on the device and automatically discard and respond to messages on the device. With these permissions, the malware has everything it needs to distribute malicious payloads and respond to messages received from WhatsApp. Check Point notes that it has responsibly notified Google about the app and its research. Google removed the app from the Play Store, but it was available for two months and was downloaded about 500 times.