Security researchers at Zscaler security have recently found a fake Netflix app that is installing a Remote Access Trojan (RAT) variant onto victims’ devices.
Depending on the popularity of applications is not a new technique, with the fake Super Mario Run games on Android have recently used the same trick to distribute the DroidJack and Marcher Trojans. It seems that the actors are now behind the SpyNote RAT decided to use the same technique and get the enormous traction Netflix has among its users who are looking to stream full movies and TV programs on their mobile devices.
In the place of a video streaming app, the attackers, however, used a RAT that can take advantage of users device in many ways, like listening to their live conversations by using the microphone, executing random commands, sending files to command and control (C&C) server, viewing contacts, recording screen captures, and reading SMS messages.
This fake Netflix app is supposedly created by using an updated version of SpyNote RAT builder, which was leaked online last year, Zscaler says. Once it is installed, the app displays the icon of legitimate Netflix app on Google Play, but it should by no means be mistaken for the real one.
When user clicks on icon for the first time it then disappears from the home screen and nothing else seems to be happening, a trick that is commonly used by mobile malware. But in the background, the malware starts its onslaught of attacks.
The SpyNote RAT was found to be using a free DNS service for C&C communication, and also to leverage Services, Activities components and Broadcast Receivers, of Android platform to remain up and running on users’ infected device.
“Services can perform long-running operations in the background and does not need a user interface. Broadcast Receivers are Android components that can register themselves for particular events. Activities are key building blocks, central to an app’s navigation, for example,” Zscaler researchers note.