A new breed of Android malware has been discovered hiding in the Google Play Store – and it’s designed to sabotage your WhatsApp chats. Security researchers at Check Point uncovered the dangerous new malware, which spreads itself by sending malicious links to your WhatsApp contacts – from family members to close friends and group chats. Anyone who taps on the link sent from your WhatsApp account will be taken to a fake Netflix site designed to steal login details for your Netflix account or credit card details.
The malware was unearthed inside an app called FlixOnline, which promises unlimited TV show and movie streaming. When discovered by the Check Point team, FlixOnline was available as a free download from the Google Play Store, which is the preinstalled app repository found on almost all Android smartphones and tablets (except the most recent handsets from Huawei, which uses the App Gallery instead).
FlixOnline uses Netflix’s iconic “N” logo as well as artwork from Stranger Things and other Netflix exclusive shows to try to tempt Android smartphone and tablet owners into downloading the app.
Android users unfortunate enough to download FlixOnline will be asked to grant a dizzying number of permissions. This is pretty standard for all third-party Android apps downloaded from the Play Store, so might not raise any alarm bells. However, the permissions requested by FlixOnline are specifically to enable this malware-laced app to continue spreading using your WhatsApp conversations.
Anyone who grants the permissions allows the application to reply to all incoming text messages in WhatsApp with a link to a fraudulent Netflix site. To tempt people into clicking, the message alongside the link promises two months of free Netflix because of the ongoing coronavirus pandemic. An example of the sort of message sent with the dangerous link reads: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS) Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE”
If the person clicks on the link they will either be asked to sign-in with their existing Netflix login (allowing the hackers to steal their email address and password combo – potentially unlocking dozens more of their online accounts) or, if they don’t already have an account, create a new one. If they decide to create a Netflix account when prompted, the hackers will steal their credit or debit card information. Either way, it’s really bad.
With the FlixOnline malware replying to every incoming messages, individual conversations and group chats could be quickly filled with these malicious links… especially if you’re not paying attention.
Security experts from Check Point have already reported the dangerous malware to Google, which has stripped the app from the Play Store. That’s great news as it means nobody else can download the app. However, Google doesn’t remove the apps already installed on Android devices across the world.
So, if you’ve recently downloaded the app, you’ll need to remove its permissions and delete it from your device immediately.
Since the malware seems to have been pretty effective, Check Point researchers believe that FlixOnline will set a trend that numerous apps will copy. That means anyone downloading from the Google Play Store will need to be more cautious than ever before. Check Point recommends users only download apps from trusted developers, always keep their devices running the latest operating system updates, and use a security solution to watch out for malware.
Aviran Hazum, Manager of Mobile Intelligence at Check Point Software said: “The malware’s technique is new and innovative, aiming to hijack users’ WhatsApp account by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags. Although we stopped one campaign using this malware, the malware may return hidden in a different app.
“The Play Store’s protections can only go so far, so mobile users need a mobile security solution. Luckily, we detected the malware early, and we quickly disclosed it to Google – who also acted quickly. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. If you think you’re a victim, we recommend immediately removing the application from devices, and changing all passwords.”
Over the course of two months, the FlixOnline app was downloaded approximately 500 times. As well as keeping Google in the loop, Check Point shared its research findings with WhatsApp, though there is no vulnerability on WhatsApp’s end. Instead, the malware uses the ability to reply to text messages from the notification shade.
Commenting on the hack, Jake Moore, Cybersecurity Specialist at ESET, told Express.co.uk: “Although apps like this are rare and infrequently downloaded, the threat they possess is huge – and this discovery could suggest the beginning of more malicious apps to come.
“Being able to send rogue messages from another app installed on a device is impressive and extremely dangerous, as when those messages appear on victim’s phones, they come with a sense of trust from a known contact. This is what makes this attack so highly effective and manipulative.
“Malicious actors know that worms like this work far better when passed on via contacts rather than unsolicited communication. If someone has downloaded this or a similar app, they may be sending WhatsApp messages out without realizing, so people need to be remain cautious of links and attachments in received messages – even from known contacts.”