Once again, Android users marginally escaped falling for a malware campaign that exploited Play Store for two months. As discovered, a malicious app existed on the Play Store that targeted users with malware. The malware also spread the infection to other Android devices by offering free Netflix access via WhatsApp auto-replies.
Android App Spread Malware Via WhatsApp Auto-replies
Check Point Research (CPR) discovered a new malware campaign in the wild targeting Android users. Specifically, the campaign distributed a wormable Android malware impersonating a malicious app that spread to other devices via WhatsApp auto-replies.
Briefly, a malicious app appeared on Google Play Store recently. The app named “FlixOnline” posed as a harmless app to let users enjoy Netflix content. However, the app instead delivered malware to users’ devices that could steal data and even exploit the device to spread the infection.
Upon reaching an Android device, the malicious app would ask for various permissions, such as ‘Battery Optimization Ignore’ ‘Overlay’ and ‘Notifications’. When granted, the app would then overlay other apps’ login screens to steal credentials.
Whereas, the ‘battery optimization ignore’ would let the app run continuously. Since the app would hide its icon right after installation, the victim user would never get a hint of the malicious app running in the background.
The most interesting permission the malware seeks is the access to Notifications that allows it to spread the infection. The malware would access WhatsApp notifications and exploit the auto-reply functionality to spread the following deceptive message to the victim’s WhatsApp contacts.
2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw”
For this, the malware would keep checking WhatsApp notifications on the device. Whereas, sending the phishing message this way would also increase its infection success rate as the other users would potentially trust the message and click on the link.
Alongside phishing, this precise access to WhatsApp also allowed the malware to steal WhatsApp data, including sensitive chats.
Technical details about the malware are available in CheckPoint’s report.
Malicious App Now Removed
According to the researchers, the malicious app existed on the Play Store for about two months and had 500 downloads.
Upon noticing this campaign, CPR researchers responsibly disclosed the matter to Google. Following their report, Google removed the malicious app from the Play Store.
Hence, while the users are now safe from this app, those who had fallen for it should ensure deleting it. Users may visit the Settings menu on their device and go through the list of all running apps.
Besides, this campaign also reminds us not to fall for any promotional or engaging message with a link since spam messages may even arrive from trusted contacts.