New Wormable Android Malware Disguised as a Netflix Tool Spreads Through WhatsApp Messages

Check Point Research (CPR) team has recently discovered a new Android malware that tricks the users into promising to provide them Netflix premium subscription for free. 

The malware that is in question is basically an app that is known as “FlixOnline,” and posing itself as a legitimate version of the streaming service, Netflix to trick the users.

This malicious app was recently removed from the Play Store after being identified as Android malware. But, when it was available in the store, it was downloaded more than 500 times. 

This newly discovered malware seeks to gain the necessary system permissions to steal sensitive data and take control of WhatsApp on the infected device.

The new malware, FlixOnline uses the WhatsApp messages to spread itself, and it’s programmed in such a way, that it replies to each incoming messages automatically from the app itself through a remote server.

Attackers send phishing sites via WhatsApp

In certainty, this malicious app, FlixOneline is basically designed to monitor the owner’s WhatsApp notifications, so, that they can send automatic replies to the owner’s incoming messages, using the content it receives through a remote command and control server.    

This method allows the threat actors to spread phishing sites for phishing attacks, spread other malware or malicious files, spread fake news and much more.

How does this malware work?

After installation, this malware requests a series of permissions that helps the operators of this malware to achieve their goal.

• First of all, it overlays on other app windows to steal login credentials and other sensitive data.
• After that, when the power saving mode is activated it prevents the infected Android device from shutting down the malware.
• Then it gains permission to the reading and writing of notifications to control the WhatsApp messages.
• Once done the above step, now the threat actors can easily reply to incoming messages with content it receives from a remote command and control (C&C) server.

Here’s one of the responses used by the malware to lure the users:-

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.” 

Replies are used by this malware for auto-spreading

The operator of this malware, FlixOnline can easily perform several malicious tasks, and here they are mentioned below:-

• Spread the malware through malicious links.
• Steal users’ data from their respective WhatsApp accounts.
• Target the contacts and all the work-related groups present on your WhatsApp to spread malicious messages.
• Also, extort the users by threatening them to send their private data or chats to all their contacts.

Apart from this, the cybersecurity firm, Check Point has already informed Google about this malware, and as a result Google already removed this malicious app. 

Just like Google, they have also informed Facebook, the developer of WhatsApp, where no action has been taken yet, since, there is no vulnerability or flaws in the messaging services of the above-mentioned portals.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity, and hacking news updates.