Check Point Research has discovered a new malware in the Google Play store that can spread via WhatsApp messages.
According to the cybersecurity firm, the malware was designed with the ability to automatically respond to incoming WhatsApp messages on behalf of its victims, and the content of the response was provided by a remote server.
CPR found malware hidden in a fake “Netflix” app on the Play Store called FlixOnline, which promised “unlimited fun” from anywhere in the world.
If successful, malware allows its threat actors to perform a range of malicious activities, such as:
- Further spread of malware through malicious links
- Steal credentials and data from WhatsApp user accounts
- Spread fake or malicious messages to WhatsApp contacts and user groups – for example, work-related groups
Malware is designed to be created, which means it can spread from one Android device to another after an Android user clicks on a link in a message and downloads the malware.
How malware works
1. Victim installs malware from the Google Play Store
2. Malware starts “listening” to new notifications on WhatsApp
3. Malicious software responds to every WhatsApp message the victim receives with a response created by the threat actors
4. In this campaign, the answer was a fake Netflix website that hunted for credentials and credit card information
Script WhatsApp message
Malicious software has sent the following automatic response to its victims in incoming WhatsApp messages, in an attempt to attract others by offering a free Netflix service:
“2 months of Netflix Premium for free, at no cost FOR QUARANTINE (CORONA VIRUS) * Get 2 months of Netflix Premium for free anywhere in the world for 60 days. Get it right HERE https: // bit[.]ly / 3bDmzUw ”.
Disguised as a fake Netflix app
CPR found malware hidden in an application on Google Play called “FlixOnline”. “The app turned out to be a fake service that claims to allow users to watch Netflix content from around the world on their mobile phones. However, instead of allowing a mobile user to see Netflix content, the app is actually designed to monitor a user’s WhatsApp notifications, by sending automated responses to incoming user messages using content received from a remote server.
Responsible detection and victimization
CPR disclosed its findings to Google. Google subsequently removed the malicious application. Over the course of two months, the “FlixOnline” application was downloaded approximately 500 times. CPR has shared its findings with WhatsApp, although in the end WhatsApp does not have a vulnerability.
Aviran Hazum, a mobile intelligence manager at Check Point, says the malware technique is fairly new and innovative.
“This is about hijacking a connection to WhatsApp by capturing a notification, with the ability to take pre-defined actions, such as‘ rejecting ’or‘ replying ’via the Notification Manager,” he says.
“The fact that the malware managed to disguise itself so easily and eventually bypass the protection of the Play Store triggers some serious red flags,” Hazum explains.
“Even though we stopped one malware campaign, the malware family will probably stay here. The malware can come back hidden in another application.”
He says protecting the Google Play Store can only go so far.
“Phone users need a mobile security solution. Fortunately, we detected the malware early and we quickly detected it to Google – which also acted quickly,” Hazum says.
“Users should beware of download links or attachments they receive through WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups.
“If you think you’re a victim, I’d immediately remove the app from my device and continue changing any passwords.”
Safety tips for Android users
1. Install a security solution on your device
2. Download applications only from official markets
3. Update your device and applications regularly