New Android Malware Spreading via WhatsApp Auto-Replies

By Bill Toulas / April 8, 2021

Researchers at Check Point have discovered a new Android malware strain that is distributed via auto-replies to incoming WhatsApp messages. The malware is disguised as a Netflix content enabler app named “FlixOnline,” but this could be replaced any time with something else. If that happens, it could potentially find its way back in the official Android app store again.

Because of the way the malware is propagated, we can essentially call it a worm that jumps from one device to the next via WhatsApp contact lists. The actors' goal is to launch phishing attacks, spread false information, and steal credentials or other sensitive data from the WhatsApp accounts of the targeted users.

The infection begins with the victim downloading the app on their own, something that unfortunately happened at least 500 times before Google removed the app from the Play Store, following CheckPoint's disclosure. This number may seem pretty insignificant, but considering how the malware is redistributed, these are all initial infection chain points.

Source: CheckPoint

Upon installation, the app requests permissions for ‘Overlay,’ ‘Battery Optimization Ignore,’ and ‘Notification.’ The ‘Overlay’ makes it possible to create windows with messages on other apps, push fake “Login” screens to steal credentials, etc. The second permission lets the app run in the background for as long as it likes. And the third one, the ‘Notification,’ gives the malware access to that sensitive space and the data that come and go through it.

Source: CheckPoint

The payload is fetched from a C2 server (netflixwatch[.]site) and arrives on the target’s device via an auto-reply message on WhatsApp. The message that a victim would see in this case is:

2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.

If you have seen this message appearing on your WhatsApp app, it’s not from a legitimate marketing promotion, and it’s definitely not from one of your contacts. Also, you should consider your device infected, immediately stop performing sensitive actions on it like accessing your online banking accounts and take all the necessary steps to clean the device.

Install a security solution on the device and run a complete scan. Next, apply any OS updates that may be available and go to the Android Settings to scrutinize all app permissions. If you just need to be certain, you may want to perform a factory reset, although this is admittedly a disproportional response.

Next time you are installing an app, take a moment to review what permissions are requested upon installation. Very often, this step is indicative of the nature of the software.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: