• Home
  • /
  • Malware
  • /
  • Fake Netflix app spread via WhatsApp found on Google Play

Fake Netflix app spread via WhatsApp found on Google Play

Read time 2min 20sec

Malware lurking in a fake Netflix app on Google Play Store and spread via WhatsApp messages was recently discovered by Check Point Research (CPR).

Researchers found the malware hidden within an app dubbed 'FlixOnline', which claimed to allow users to view free Netflix content on their mobile devices.

The malware sends the following response to its victims:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”

CPR said it notified Google about the threat, as well as the details of its research, and Google quickly removed the application from the Play Store.

Over the course of two months, the 'FlixOnline' app was downloaded approximately 500 times.

How it works

Once the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions.

'Overlay' enables a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake 'Login' screen for other apps, with the intention of stealing credentials.

'Ignore Battery Optimizations' stops the malware from being shut down by the device’s battery optimisation routine, even if it's idle for an extended period.

However, the most dangerous permission, is the 'Notification' access, the Notification Listener service in particular. Once enabled, this permission gives the malware access to all notifications related to messages sent to the device, as well as the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.

Should these permissions be granted, the malware has everything it needs to start distributing its malicious payloads, and responding to incoming WhatsApp messages with auto-generated replies. Theoretically, through these auto-generated replies, a threat actor could steal data, cause business interruptions on work-related chat groups, and even commit extortion by sending sensitive data to all the user's contacts.

Be wary of links, attachments

Check Point's researchers said this wormable Android malware features innovative and dangerous new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp. 

“It highlights that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups.”

Anyone who was infected should immediately remove the application from their device, and change their passwords.

See also