Researchers discovered wormable android malware — capable of propagating via WhatsApp messages.
FlixOnline Malicious App
Researchers recently discovered malware on Google Play hidden in a fake application — capable of spreading itself via users’ WhatsApp messages.
On Wednesday, Check Point Research (CPR) published a report on the malicious App “FlixOnline”
FlixOnline – The app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles.
However, The application is actually designed to monitor the user’s WhatsApp notifications.
In addition, send automatic replies to the user’s incoming messages using content that it receives from a remote C&C server.
According to CPR team, he malware sends the following response to its victims, luring them with the offer of a free Netflix service:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)*
Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”
And, Utilizing this technique, a threat actor could perform a wide range of malicious activities:
- Spread further malware via malicious links
- Stealing data from users’ WhatsApp accounts
- Spreading fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups)
- Extort users by threatening to send sensitive WhatsApp data or conversations to all of their contacts
Malware Work Flow
According to Check Point Research (CPR), once launched in mobile, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions.
However, “the malware’s technique is fairly new and innovative” said Aviran Hazum, manager of mobile intelligence at Check Point.
After the permissions are granted, the malware displays a landing page it receives from the C&C server and immediately hides its icon so the malware can’t be easily removed.
In addition, a successful infection could allow the malware to
- spread further via malicious links
- steal data from users’ WhatsApp accounts
- propagate malicious messages to users’ WhatsApp contacts and groups
- also, even extort users by threatening to leak sensitive WhatsApp data or conversations.
Google quickly removed the application from the Play Store, but over a course of 2 months, FlixOnline was downloaded approximately 500 times.
This wormable Android malware “highlights that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups,” Check Point concluded.
If you are infected, remove the application from the device, and change the passwords.
Indicators Of Compromise
FlixOnline – 1d097436927f85b1ab9bf69913071abd0845bfcf1afa186112e91e1ca22e32df
C&C – netflixwatch[.]site
Package Name – com.fab.wflixonline
Certificate – BEC2C0448558729C1EDF4E45AB76B6A3EE6E42B7