A new kind of Android malware has been discovered by the research group at Check Point Research (CPR). The malware was discovered in an app on the Google Play store. The app, called FlixOnline, is a sham service that advertises the ability to bypass the region locks on Netflix, allowing users to watch all Netflix content from around the world. The application does not actually enable users to bypass these locks. What it does is monitor a user’s WhatsApp notifications, automatically responding to conversations with spam promising two months of free Netflix subscription. When users click the link, they join the spam chain and continue spreading the malware to users on their contact list.
How the malware works
The researchers at Check Point found that once the app was installed on the victim’s phone, the android malware starts a service that requests ‘Battery Optimization Ignore’, ‘Notification’, and ‘Overlay’ approval. The first service request is used to avoid the malware being shut down automatically even during idle periods, the second provides access to all notification messages received on the user’s device granting the application the ability to reply or dismiss the messages, and the third request is used to create fake login screens to compromise user credentials.
Once the requisite approvals are granted, the FlixOnline app displays a landing page received from a command and control (C&C) server and then disguises its application icon so the malware cannot be manually shutdown. The C&C is then contacted in cycles, and the malware’s configuration is also updated.
How the malware enables further attacks
Using the above attack vector, attackers could take it a step further with the following:
- Stealing data from the victim’s WhatsApp account
- Coercing users into paying to avoid the release of sensitive data to users in their contact list
- Continuing to spread further by utilizing malicious links
- Spreading spam messages to users in the contact list and other work-related WhatsApp groups
The Android malware features some creative processes for spreading itself, and for stealing victim’s data from legitimate apps like WhatsApp.
Avoiding Mobile Threats
Any app that promises to provide its services or any third-party services for free is a red flag. If a service or an application is too good to be true, then it probably is. Users should always be suspicious of download links and attachments they receive in instant messaging and email, even from trusted contacts and groups.
Read the complete Check Point Research here
To for news and updates from around the world, visit https://blog.excellimatrix.com/
You can also reach us out on Facebook, & LinkedIn or Contact us.