Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Fake Netflix App Luring Android Users to Malware

Researchers Flag ‘FlixOnline’ as a Malicious Android Play Store App That Combines Social Engineering With WhatsApp Auto-Replies to Propagate

Researchers Flag ‘FlixOnline’ as a Malicious Android Play Store App That Combines Social Engineering With WhatsApp Auto-Replies to Propagate

Researchers have discovered new Android malware that uses Netflix as its lure and spreads malware via auto-replies to received WhatsApp messages.

The discovery was reported to Google, and the malware – dubbed FlixOnline – has been removed from Google Play; but the researchers expect the methodology to return and be reused in other malware.

FlixOnline combines the popularity of Netflix, the traditional social engineering trigger of greed (Netflix for free!), and the current pandemic (to provide a reason for the offer), to attract its victims. 

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [malicious domain redacted].”

The researchers found the malware hidden in the FlixOnline app that claims to allow its users to view any Netflix content, anywhere in the world, free for two months on their mobiles. But, the researchers warn, “instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.”

FlixOnlineOnce installed on a victim’s device, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The first is usually used to create fake login screens to steal user credentials; the second is used to prevent the malware being shut down automatically despite long idle periods; and the third – the most important – provides access to all notification messages received by the device with the ability to automatically dismiss or reply to those messages.

These permissions allow the hacker to spread further malware via malicious links, to steal data from WhatsApp accounts, and spread fake or malicious messages to the user’s WhatsApp contacts, including work-related groups.

[READ: Recently Patched Android Vulnerability Exploited in Attacks ]

Advertisement. Scroll to continue reading.

Once the permissions are granted, FlixOnline displays a landing page received from the C&C server, hiding its icon to make it harder to remove the malware. The C&C server is periodically contacted, and the malware’s configuration updated.

Using the OnNotificationPosted callback capability, the malware checks for WhatsApp messages and processes any received. First it cancels the notification to hide the message receipt from the user. It then sends an autoreply as received from the C&C server – which could be misinformation, malicious links, self-advertisements (giving the malware wormable capabilities) or malware. Or it could be used to exfiltrate personal information and credentials from the user.

In the campaign discovered by Check Point Research, the WhatsApp response sent out was a fake Netflix site that phished for users’ credentials and credit card information.

Over the course of 2 months prior to its takedown by Google, FlixOnline was downloaded 500 times. While this is not a huge number, there is no knowing whether or to what extent it may have spread itself after installation on victims’ mobile devices.

“The malware’s technique is new and innovative,” says Aviran Hazum, manager of Mobile Intelligence at Check Point Software, “aiming to hijack users’ WhatsApp account by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags. Although we stopped one campaign using this malware, the malware may return hidden in a different app.”

Or, possibly, it already exists hidden in other apps. “Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, continued Hazum, even when they appear to come from trusted contacts or messaging groups. If you think you’re a victim, we recommend immediately removing the application from devices, and changing all passwords.”

As for FlixOnline, even the name should be an immediate red flag. It’s a fairly obvious name for a disguised malicious app – as long ago as 2011 a user tweeted “why the hell wont flixonline work. I hit play and it keeps taking me to adds”. More recently, in January 2021, ‘Re-ind’ warned of FlixOnline under the hashtags #Android #Banking #Trojan #Malware. The latter was a fake Huawei app.

Related: Facebook Disrupts Spies Using iPhone, Android Malware

Related: Recently Patched Android Vulnerability Exploited in Attacks

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...