A new malware variant has been discovered by security researchers at Check Point that has been added to a fake Netflix application – FlixOnline – available from the Google Play Store. The malware has worm-like properties and can spread to other devices via WhatsApp messages.
The Android app has the Netflix logo and claims to provide unlimited viewing from any location. If the app is downloaded and installed, permissions are changed on the user’s device to enable automatic responses to new WhatsApp notifications. Every time a WhatsApp message is received, the malicious app will respond and send a message with a link that tells the recipient to visit a website. The website spoofs Netflix and requests login credentials and a credit card number and promises a 2-month free membership to Netflix Premium.
When Check Point researchers identified the malicious app it had been downloaded 500 times in the 2 months it had been on the Google Play Store. The malicious app was reported to Google and it has now been removed, but this is unlikely to be the last time it appears. The malware is likely to be repackaged into a new app and uploaded again.
“The malware’s technique is new and innovative, aiming to hijack users’ WhatsApp accounts by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager,” said Check Point manager of mobile intelligence, Aviran Hazum.
This malware sends phishing emails but could easily send copies of the malware. The campaign highlights the risks of clicking unsolicited links in WhatsApp messages, even when they have been sent from a trusted contact. To avoid malware infections on Android phones, exercise caution when clicking hyperlinks in messages and only install apps from official app stores.
Official app stores such as the Google Play Store have multiple checks in place to identify malicious apps, although malicious apps do occasionally pass these checks. Just because an app is available on an official app store, it does not necessarily mean it is genuine. When installing any app, it is important to check the number of downloads, reviews, and to carefully check the requested permissions before installing. In this case, the app requests Notification access to the Notification Listener service. It is also important to install a security solution on Android devices and ensure it is kept up to date.