#MalwareAlert: Fake Netflix-like app spreads malware via WhatsApp
What's the story
Check Point Research (CPR) discovered a new malware on the Google Play Store that was disguised as "FlixOnline." It claims to offer users two months of free access to Netflix content from all around the world. However, the app was designed to monitor the user's WhatsApp messages, reply to texts with malicious content, and steal login and financial details.
First step
Google has taken down the malware from the Play Store
When CPR notified Google about the malware, it was quickly removed from the Play Store. However, the app was downloaded 500 times within two months when it was available on the platform. While the fake app was taken down immediately, the fact that it bypassed Google's security measures and landed on the Play Store raises red flag about the company's ability to protect users.
Remote control
App requests three permissions to compromise your device
Once the app is installed, it requests the user to grant three permissions: "Notification Listener," "Overlay," and "Battery Optimization Ignore." The first service allows the malware to access notifications, reply to messages, and dismiss alerts. Access to the second permission provides it with the ability to draw new windows over other applications. The third service keeps the malware running even when the phone is dormant.
Clever tricks
The fake app hides its icon making uninstalling it harder
Once you grant permissions, the malware displays a landing page that it receives from the command and control (C&C) server and hides its icon so that users can't uninstall the app easily. The malware then continues to communicate with the C&C server to receive instructions. According to CPR, the fake app has been designed with a focus on WhatsApp.
Data theft
It can monitor and steal your data and spread malware
Although such behavior hasn't been observed, the malware can potentially steal your WhatsApp data and take the ransom route by threatening to send sensitive content to your contacts. Since it can also reply to your messages, it propagates by sending malicious links to WhatsApp contacts. With its ability to draw over other apps, it can monitor and steal login data and financial information.
Possible revisit
The malware could make a comeback in other apps
According to CPR, the malware could make a comeback disguised as other applications. Therefore, try to avoid apps that advertise such lucrative offers and keep yourself away from apps that are not popular on the platform. If you were a victim of the FlexOnline app, we recommend uninstalling the app immediately and changing your passwords.