Malware disguised as a Netflix app, lurking on the Google Play store, spread through WhatsApp messages, researchers have discovered.
According to a Check Point Research analysis released on Wednesday, the malware masqueraded as an app called “FlixOnline,” which advertised via WhatsApp messages promising “2 Months of Netflix Premium Free Anywhere in the World for 60 days.” But once installed, the malware sets about stealing data and credentials.
The malware was designed to listen for incoming WhatsApp messages and automatically respond to any that the victims receive, with the content of the response crafted by the adversaries. The responses attempted to lure others with the offer of a free Netflix service, and contained links to a fake Netflix site that phished for credentials and credit card information, researchers said.
“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.”
The fake app in Google Play, featuring the Netflix logo. Source: Check Point.
The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts and groups with links to the fake app. To that end, the automated messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”
Over the course of two months that the app was live on Google Play, the malware racked up 500 victims, according to Check Point. The firm alerted Google to the malware, which took the app down. However, “the malware family is likely here to stay and may return hidden in a different app,” researchers warned.
“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”
FlixOnline Intercepts WhatsApp Notifications
Once the application is downloaded from the Play Store and installed, it requests three specific permissions, according to the Check Point analysis: Overlay, Battery Optimization Ignore and Notification Listener.
Overlay allows a malicious application to create new windows on top of other applications, noted the researchers.
“This is usually requested by malware to create a fake log-in screen for other apps, with the aim of stealing victim’s credentials,” they explained.
The Ignore Battery Optimizations permission meanwhile stops the malware from being shut down when the phone goes into idle mode, as Android apps usually do in order to save battery power. This allowed the “FlixOnline” app to continuously operate, listening and sending fake messages in the background even if the phone is dormant.
Most importantly, the Notification Listener permission allows the malware to access all notifications related to messages sent to the device, with “the ability to automatically perform designated actions such as ‘dismiss’ and ‘reply’ to messages received on the device,” according to Check Point.
After the permissions are granted, the malware displays a landing page it receives from the command-and-control server (C2), and it deletes its icon off the home screen. From there, it periodically pings the C2 for configuration updates.
“The service can achieve these goals by using multiple methods,” according to the analysis. “For instance, the service can be triggered by the installation of the application and by an alarm registered as the BOOT_COMPLETED action, which is called after the device has completed the boot process.”
When it comes to parsing the WhatsApp messages, the malware uses a function called OnNotificationPosted to check for the package name of the application creating a given notification. If that application is WhatsApp, the malware will then “process” the notification, according to Check Point. That consists of canceling the notification (to hide it from the user), and then reading the title and content of the notification received.
“Next, it searches for the component that is responsible for inline replies, which is used to send out the reply using the payload received from the C2 server,” researchers explained.
Malware-Laced Apps on Google Play
The official Android app store is unfortunately no stranger to malicious and trojanized apps. In March for instance, nine malicious apps were found on Google Play, harboring a malware dropper that paves the way for attackers to remotely steal financial data from Android phones. And in January, Google booted 164 apps, collectively downloaded a total of 10 million times, because they were delivering disruptive ads.
Meanwhile last year, the Joker malware continued to plague Google Play apps. Joker, which has been around since 2017, is a mobile trojan specializing in a type of billing fraud known as “fleeceware.” The Joker apps advertise themselves as legitimate apps (like games, wallpapers, messengers, translators and photo editors, mainly). Once installed, they simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services. The apps also steal SMS messages, contact lists and device information.
How Can Android Users Protect Themselves?
To protect against this type of malware, users should be wary of download links or attachments received via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups, Check Point noted.
If users find themselves with a fake app, they should immediately remove the suspect application from the device, and proceed to change all passwords.
Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.
