Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Fake Netflix App Luring Android Users to Malware

Researchers Flag ‘FlixOnline’ as a Malicious Android Play Store App That Combines Social Engineering With WhatsApp Auto-Replies to Propagate

Researchers Flag ‘FlixOnline’ as a Malicious Android Play Store App That Combines Social Engineering With WhatsApp Auto-Replies to Propagate

Researchers have discovered new Android malware that uses Netflix as its lure and spreads malware via auto-replies to received WhatsApp messages.

The discovery was reported to Google, and the malware – dubbed FlixOnline – has been removed from Google Play; but the researchers expect the methodology to return and be reused in other malware.

FlixOnline combines the popularity of Netflix, the traditional social engineering trigger of greed (Netflix for free!), and the current pandemic (to provide a reason for the offer), to attract its victims. 

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [malicious domain redacted].”

The researchers found the malware hidden in the FlixOnline app that claims to allow its users to view any Netflix content, anywhere in the world, free for two months on their mobiles. But, the researchers warn, “instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.”

FlixOnlineOnce installed on a victim’s device, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The first is usually used to create fake login screens to steal user credentials; the second is used to prevent the malware being shut down automatically despite long idle periods; and the third – the most important – provides access to all notification messages received by the device with the ability to automatically dismiss or reply to those messages.

These permissions allow the hacker to spread further malware via malicious links, to steal data from WhatsApp accounts, and spread fake or malicious messages to the user’s WhatsApp contacts, including work-related groups.

[READ: Recently Patched Android Vulnerability Exploited in Attacks ]

Once the permissions are granted, FlixOnline displays a landing page received from the C&C server, hiding its icon to make it harder to remove the malware. The C&C server is periodically contacted, and the malware’s configuration updated.

Using the OnNotificationPosted callback capability, the malware checks for WhatsApp messages and processes any received. First it cancels the notification to hide the message receipt from the user. It then sends an autoreply as received from the C&C server – which could be misinformation, malicious links, self-advertisements (giving the malware wormable capabilities) or malware. Or it could be used to exfiltrate personal information and credentials from the user.

In the campaign discovered by Check Point Research, the WhatsApp response sent out was a fake Netflix site that phished for users’ credentials and credit card information.

Over the course of 2 months prior to its takedown by Google, FlixOnline was downloaded 500 times. While this is not a huge number, there is no knowing whether or to what extent it may have spread itself after installation on victims’ mobile devices.

“The malware’s technique is new and innovative,” says Aviran Hazum, manager of Mobile Intelligence at Check Point Software, “aiming to hijack users’ WhatsApp account by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags. Although we stopped one campaign using this malware, the malware may return hidden in a different app.”

Or, possibly, it already exists hidden in other apps. “Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, continued Hazum, even when they appear to come from trusted contacts or messaging groups. If you think you’re a victim, we recommend immediately removing the application from devices, and changing all passwords.”

As for FlixOnline, even the name should be an immediate red flag. It’s a fairly obvious name for a disguised malicious app – as long ago as 2011 a user tweeted “why the hell wont flixonline work. I hit play and it keeps taking me to adds”. More recently, in January 2021, ‘Re-ind’ warned of FlixOnline under the hashtags #Android #Banking #Trojan #Malware. The latter was a fake Huawei app.

Related: Facebook Disrupts Spies Using iPhone, Android Malware

Related: Recently Patched Android Vulnerability Exploited in Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...