New Android Malware Spreading via WhatsApp Auto-Replies

  • A new wormable Android malware is spreading via auto-replies on peoples’ WhatsApp.
  • The malware was hidden in a Netflix content enabler app that was available on the Play Store.
  • The permissions requested upon installation clearly underline the dangerous nature of the app.

Researchers at Check Point have discovered a new Android malware strain that is distributed via auto-replies to incoming WhatsApp messages. The malware is disguised as a Netflix content enabler app named “FlixOnline,” but this could be replaced any time with something else. If that happens, it could potentially find its way back in the official Android app store again.

Because of the way the malware is propagated, we can essentially call it a worm that jumps from one device to the next via WhatsApp contact lists. The actors’ goal is to launch phishing attacks, spread false information, and steal credentials or other sensitive data from the WhatsApp accounts of the targeted users.

The infection begins with the victim downloading the app on their own, something that unfortunately happened at least 500 times before Google removed the app from the Play Store, following CheckPoint’s disclosure. This number may seem pretty insignificant, but considering how the malware is redistributed, these are all initial infection chain points.

Source: CheckPoint

Upon installation, the app requests permissions for ‘Overlay,’ ‘Battery Optimization Ignore,’ and ‘Notification.’ The ‘Overlay’ makes it possible to create windows with messages on other apps, push fake “Login” screens to steal credentials, etc. The second permission lets the app run in the background for as long as it likes. And the third one, the ‘Notification,’ gives the malware access to that sensitive space and the data that come and go through it.

Source: CheckPoint

The payload is fetched from a C2 server (netflixwatch[.]site) and arrives on the target’s device via an auto-reply message on WhatsApp. The message that a victim would see in this case is:

2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.

If you have seen this message appearing on your WhatsApp app, it’s not from a legitimate marketing promotion, and it’s definitely not from one of your contacts. Also, you should consider your device infected, immediately stop performing sensitive actions on it like accessing your online banking accounts and take all the necessary steps to clean the device.

Install a security solution on the device and run a complete scan. Next, apply any OS updates that may be available and go to the Android Settings to scrutinize all app permissions. If you just need to be certain, you may want to perform a factory reset, although this is admittedly a disproportional response.

Next time you are installing an app, take a moment to review what permissions are requested upon installation. Very often, this step is indicative of the nature of the software.

REVIEW OVERVIEW

Latest

How to Watch Thursday Night Football Without Cable in 2021: Schedule, Time, TV Channel, Live Stream

The 2021 NFL season is kicking off, and the excitement is kicking in for American football fans all over the world. The...

HBO Leaves Prime Video as WarnerMedia Ends Deal With Amazon

Amazon and WarnerMedia end their collaboration that had HBO on Prime Video.Existing users will now have to use the HBO Max app...

How Phishing Actors Impersonated the U.S. Department of Transportation

A recent phishing campaign deployed some common but highly effective tricks to steal Microsoft account credentials.The actors impersonated the U.S. Department of...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari