Researchers Flag ‘FlixOnline’ as a Malicious Android Play Store App That Combines Social Engineering With WhatsApp Auto-Replies to Propagate
Researchers have discovered new Android malware that uses Netflix as its lure and spreads malware via auto-replies to received WhatsApp messages.
The discovery was reported to Google, and the malware – dubbed FlixOnline – has been removed from Google Play; but the researchers expect the methodology to return and be reused in other malware.
FlixOnline combines the popularity of Netflix, the traditional social engineering trigger of greed (Netflix for free!), and the current pandemic (to provide a reason for the offer), to attract its victims.
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [malicious domain redacted].”
The researchers found the malware hidden in the FlixOnline app that claims to allow its users to view any Netflix content, anywhere in the world, free for two months on their mobiles. But, the researchers warn, “instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.”
Once installed on a victim’s device, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The first is usually used to create fake login screens to steal user credentials; the second is used to prevent the malware being shut down automatically despite long idle periods; and the third – the most important – provides access to all notification messages received by the device with the ability to automatically dismiss or reply to those messages.
These permissions allow the hacker to spread further malware via malicious links, to steal data from WhatsApp accounts, and spread fake or malicious messages to the user’s WhatsApp contacts, including work-related groups.
Once the permissions are granted, FlixOnline displays a landing page received from the C&C server, hiding its icon to make it harder to remove the malware. The C&C server is periodically contacted, and the malware’s configuration updated.
Using the OnNotificationPosted callback capability, the malware checks for WhatsApp messages and processes any received. First it cancels the notification to hide the message receipt from the user. It then sends an autoreply as received from the C&C server – which could be misinformation, malicious links, self-advertisements (giving the malware wormable capabilities) or malware. Or it could be used to exfiltrate personal information and credentials from the user.
In the campaign discovered by Check Point Research, the WhatsApp response sent out was a fake Netflix site that phished for users’ credentials and credit card information.
Over the course of 2 months prior to its takedown by Google, FlixOnline was downloaded 500 times. While this is not a huge number, there is no knowing whether or to what extent it may have spread itself after installation on victims’ mobile devices.
“The malware’s technique is new and innovative,” says Aviran Hazum, manager of Mobile Intelligence at Check Point Software, “aiming to hijack users’ WhatsApp account by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags. Although we stopped one campaign using this malware, the malware may return hidden in a different app.”
Or, possibly, it already exists hidden in other apps. “Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, continued Hazum, even when they appear to come from trusted contacts or messaging groups. If you think you’re a victim, we recommend immediately removing the application from devices, and changing all passwords.”
As for FlixOnline, even the name should be an immediate red flag. It’s a fairly obvious name for a disguised malicious app – as long ago as 2011 a user tweeted “why the hell wont flixonline work. I hit play and it keeps taking me to adds”. More recently, in January 2021, ‘Re-ind’ warned of FlixOnline under the hashtags #Android #Banking #Trojan #Malware. The latter was a fake Huawei app.