Malware disguised as a Netflix app, hiding on the Google Play store, spread through WhatsApp messages, researchers have now found.
The wormable malware spread from Android to Android by sending messages offering ‘free Netflix Premium’ for 60 days.
Says a Check Point Research analysis released on Wed., the malware pretended to be an app called “FlixOnline,” which advertised via WhatsApp messages promising “2 Months of Netflix Premium Free Anywhere in the World for 60 days.” When installed, the malware sets about stealing data & credentials.
Lure Others
The malware was designed to listen for incoming WhatsApp messages & automatically respond to any that the victims receive, with the content of the response crafted by the adversaries.
The responses attempted to lure others with the offer of a free Netflix service, & contained links to a fake Netflix site that phished for credentials & credit card information, researchers observed.
Fake Service
“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis.
“However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.”
Self-Propagate
The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts & groups with links to the fake app. For that result, the automated messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”
Over 2 months that the app was live on Google Play, the malware clocked up 500 victims, according to Check Point. The firm alerted Google to the malware, which took the app down. However, “the malware family is likely here to stay & may return hidden in a different app,” researchers warned.
New & Innovative
“The malware’s technique is fairly new & innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, stated in the analysis.
“The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily & ultimately bypass Play Store’s protections raises some serious red flags.”
FlixOnline Intercepts
Once the application is downloaded from the Play Store & installed, it requests 3 specific permissions, according to the Check Point analysis: Overlay, Battery Optimisation Ignore & Notification Listener.
Overlay allows a malicious application to create new windows on top of other applications, noted the researchers.
“This is usually requested by malware to create a fake log-in screen for other apps, with the aim of stealing victim’s credentials,” they explained.
Ignore Battery Optimisations
The Ignore Battery Optimisations permission meanwhile stops the malware from being shut down when the phone goes into idle mode, as Android apps usually do in order to save battery power.
This allowed the “FlixOnline” app to continuously operate, listening & sending fake messages in the background even if the phone is dormant.
Notification Listener
Most important, the Notification Listener permission allows the malware to access all notifications related to messages sent to the device, with “the ability to automatically perform designated actions such as ‘dismiss’ & ‘reply’ to messages received on the device,” according to Check Point.
After the permissions are granted, the malware displays a landing page it receives from the command-&-control server (C2), & it deletes its icon off the home screen. From there, it periodically ‘pings’ the C2 for configuration updates.
“The service can achieve these goals by using multiple methods,” according to the analysis. “For instance, the service can be triggered by the installation of the application & by an alarm registered as the BOOT_COMPLETED action, which is called after the device has completed the boot process.”
Cancelling the Notification
When it comes to parsing the WhatsApp messages, the malware uses a function called OnNotificationPosted to check for the package name of the application creating a given notification. If that application is WhatsApp, the malware will then “process” the notification, according to Check Point. That consists of cancelling the notification to hide it from the user, & then reading the title & content of the notification received.
“Next, it searches for the component that is responsible for inline replies, which is used to send out the reply using the payload received from the C2 server,” researchers explained.
Apps on Google Play
The official Android app store is unfortunately no stranger to malicious & trojanised apps. In Mar. for example, 9 malicious apps were found on Google Play, harbouring a malware dropper that helps attackers to remotely steal financial data from Android phones. In Jan., Google booted 164 apps, collectively downloaded a total of 10m times, because they were delivering disruptive ads.
In 2020, the Joker malware continued to trouble Google Play apps. Joker, which has existed since 2017, is a mobile trojan specialising in a type of billing fraud known as “fleeceware.”
The Joker apps advertise themselves as legitimate apps (like games, wallpapers, messengers, translators, & photo editors, mainly). When installed, they simulate clicks & intercept SMS messages to subscribe victims to unwanted, paid premium services. The apps also steal SMS messages, contact lists & device information.
Can Android Users Protect?
To protect against this type of malware, users should be wary of download links or attachments received via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups, Check Point noted.
If users find themselves with a fake app, they should immediately remove the suspect application from the device & proceed to change all passwords.
https://www.cybernewsgroup.co.uk/virtual-conference-may-2021/