Background
As the mobile threat landscape is evolving day by day, Cyber criminals are always seeking to develop new techniques to evolve and successfully distribute malware. They have and are continuously coming up with new ways of luring people into their traps. Researchers have found a new and innovative malicious threat on the Google Play app store which spreads itself via mobile users with the help of WhatsApp conversations and can also send further malicious content via automated replies to incoming WhatsApp messages.
Which is this malicious app?
Name of this malicious app is ’FlixOnline’. It was found to be available on Google Play store.
This app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles. However, instead of allowing the mobile users to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control server.
Lures people into downloading the application
This malware sends following response to its victims, luring them with the offer of a free Netflix service:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bD***w.”
Takes permission from user
Once people fall into this trap and install the application from Play Store, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. In greed of watching free Netflix, users allow these permissions easily. The purpose behind obtaining these permissions is:
- Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s credentials.
- Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period.
- The most prominent permission is the Notification access, more specifically, the Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.
Can harm users in many ways
Once user has installed this application and allowed the requested permissions, it could perform a wide range of malicious activities:
Spread this malware further via malicious links
Steal data from user's WhatsApp account
Spread fake or malicious messages to user's WhatsApp contacts and groups (for example, work-related groups)
Extort users by blackmailing/threatening to send sensitive WhatsApp data or conversations to all of their contacts
What can you do?
If you use FlixOnline or any other similar app, uninstall the application immediately and check if the app has already done some damage by checking your WhatsApp chats. Users can also reset their phones by first backing up all personal data for the best results. A reset should remove any malicious code or files still in your system.
In the future, remember to never fall for such fake apps. Any app that tries to provide you unofficial content for free could be trying to download malicious code on to your device. If an app or service online is too good to be true, it probably is.
0 comments: