Researchers Taper off ‘FlixOnline’ as a Malicious Android Play Store App That Combines Communal Engineering With WhatsApp Auto-Replies to Propagate
Researchers have pioneered new Android malware that uses Netflix as its lure and spreads malware via auto-replies to net WhatsApp messages.
The discovery was reported to Google, and the malware – dubbed FlixOnline – has been eradicated from Google Play; but the researchers expect the methodology to return and be reused in other malware.
FlixOnline pools the popularity of Netflix, the traditional social engineering trigger of greed (Netflix for loose!), and the current pandemic (to provide a reason for the offer), to attract its fools.
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Sparse Free anywhere in the world for 60 days. Get it now HERE [malicious specialization redacted].”
The researchers found the malware hidden in the FlixOnline app that asserts to allow its users to view any Netflix content, anywhere in the world, unencumbered for two months on their mobiles. But, the researchers warn, “instead of allowing the mechanical user to view Netflix content, the application is actually designed to audit the user’s WhatsApp notifications, and to send automatic replies to the user’s entering messages using content that it receives from a remote require and control (C&C) server.”
Once installed on a victim’s device, the malware starts a utility that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ acceptances. The first is usually used to create fake login screens to copy user credentials; the second is used to prevent the malware being cut off down automatically despite long idle periods; and the third – the scad important – provides access to all notification messages received by the device with the cleverness to automatically dismiss or reply to those messages.
These permissions admit the hacker to spread further malware via malicious links, to steal statistics from WhatsApp accounts, and spread fake or malicious messages to the operator’s WhatsApp contacts, including work-related groups.
[READ: Recently Patched Android Vulnerability Exploited in Falls ]
Once the permissions are granted, FlixOnline displays a landing page received from the C&C server, mask its icon to make it harder to remove the malware. The C&C server is periodically contacted, and the malware’s configuration updated.
Using the OnNotificationPosted callback ability, the malware checks for WhatsApp messages and processes any received. First it invalidates the notification to hide the message receipt from the user. It then sends an autoreply as drew from the C&C server – which could be misinformation, malicious links, self-advertisements (announcing the malware wormable capabilities) or malware. Or it could be used to exfiltrate belittling information and credentials from the user.
In the campaign discovered by Check Position Research, the WhatsApp response sent out was a fake Netflix site that phished for alcohols’ credentials and credit card information.
Over the course of 2 months old to its takedown by Google, FlixOnline was downloaded 500 times. While this is not a mammoth number, there is no knowing whether or to what extent it may have spread itself after post on victims’ mobile devices.
“The malware’s technique is new and innovative,” says Aviran Hazum, proprietor of Mobile Intelligence at Check Point Software, “aiming to hijack drugs’ WhatsApp account by capturing notifications, along with the ability to fight c assume predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The in reality that the malware was able to be disguised so easily and ultimately bypass Treat cavalierly Store’s protections raises some serious red flags. Although we stayed one campaign using this malware, the malware may return hidden in a dissimilar app.”
Or, possibly, it already exists hidden in other apps. “Users should be observant of download links or attachments that they receive via WhatsApp or other letter apps, continued Hazum, even when they appear to into from trusted contacts or messaging groups. If you think you’re a victim, we subscribe to immediately removing the application from devices, and changing all passwords.”
As for FlixOnline, plane the name should be an immediate red flag. It’s a fairly obvious name for a faade malicious app – as long ago as 2011 a user tweeted “why the hell wont flixonline operate. I hit play and it keeps taking me to adds”. More recently, in January 2021, ‘Re-ind’ cautioned of FlixOnline under the hashtags #Android #Banking #Trojan #Malware. The in was a fake Huawei app.
Related: Facebook Disrupts Spies Using iPhone, Android Malware
Kin: Recently Patched Android Vulnerability Exploited in Attacks