Cybersecurity researchers have found yet one more piece of wormable Android malware—however this time downloadable straight from the official Google Play Retailer—that is able to propagating by way of WhatsApp messages.
Disguised as a rogue Netflix app underneath the identify of “FlixOnline,” the malware comes with options that permit it to robotically reply to a sufferer’s incoming WhatsApp messages with a payload acquired from a command-and-control (C&C) server.
“The appliance is definitely designed to watch the consumer’s WhatsApp notifications, and to ship computerized replies to the consumer’s incoming messages utilizing content material that it receives from a distant C&C server,” Examine Level researchers mentioned in an analysis printed in the present day.
In addition to masquerading as a Netflix app, the malicious “FlixOnline” app additionally requests intrusive permissions that permit it to create faux Login screens for different apps, with the aim of stealing credentials and achieve entry to all notifications acquired on the system, utilizing it to cover WhatsApp notifications from the consumer and robotically reply with a specially-crafted payload acquired from the C&C server.
“The malware’s approach is pretty new and modern,” mentioned Aviran Hazum, supervisor of cell intelligence at Examine Level. “The approach right here is to hijack the connection to WhatsApp by capturing notifications, together with the power to take predefined actions, like ‘dismiss’ or ‘reply’ by way of the Notification Supervisor.”
A profitable an infection might permit the malware to unfold additional by way of malicious hyperlinks, steal knowledge from customers’ WhatsApp accounts, propagate malicious messages to customers’ WhatsApp contacts and teams, and even extort customers by threatening to leak delicate WhatsApp knowledge or conversations.
The app has since been purged from the Play Retailer, however not earlier than attracting a complete of 500 downloads over the course of two months.
FlixOnline additionally marks the second time a malicious app has been caught utilizing WhatsApp to unfold the malware. In January 2021, ESET researcher Lukas Stefanko disclosed a fake Huawei Mobile app that employed the identical modus operandi to carry out the wormable assault.
What’s extra, the message exhibited to customers upon opening the apps is identical — “We’d like your permission to entry the applying. It is going to assist app (sic) to offer higher performance” — suggesting the 2 apps might both be the work of the identical attacker or that the authors of FlixOnline drew inspiration from the Huawei Cell app.
“The truth that the malware was capable of be disguised so simply and in the end bypass Play Retailer’s protections raises some severe purple flags,” Hazum mentioned. “Though we stopped one marketing campaign of the malware, the malware household is probably going right here to remain. The malware could return hidden in a distinct app.”
“Customers ought to be cautious of obtain hyperlinks or attachments that they obtain by way of WhatsApp or different messaging apps, even once they seem to return from trusted contacts or messaging teams,” Hazum added.