Security Experts:

Information-Stealing Android Malware Targets Netflix Customers

Fake Netflix App for Android Looks to Steal Personal Information from Netflix Customers.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

Mobile Malware creators have crafted a well-designed application that targets Netflix customers using Android mobile devices in an attempt to steal personal informaton. Symantec discovered the threat that it dubbed Android.Fakeneflic, which attempts to exploit users of the popular Netflix app for Android.

Fake Netflix Mobile App on AndroidThe malware in question appears to be a legitimate Netflix app, but instead is an information-stealing Trojan looking to capture account information from unsuspecting users. Once installed, if a user enters their Netflix account information into the malicious app, the user’s information is captured and posted to a server. Following that, users are presented with a screen indicating incompatibility with their hardware and a recommendation to install another version of the app. After hitting the “Cancel” button, the malware attempts to uninstall itself. Fairly simple, but well designed application like this can easily trick users into coughing up login details and other personal information.

“The official [Netflix] app, which was initially released in the early part of the year, was only recently published to the Android Market with support for multiple devices. A gap in availability, combined with the large interest of users attempting to get the popular service running on their Android device, created the perfect cover for Android.Fakeneflic to exploit,” Irfan Asrar wrote in a blog post.


“Divided into two main parts, the app is largely just a splash screen followed by a login screen where the user information is captured and posted to a server. At the time of writing this blog, it appears that the server where the data was being posted is offline. Furthermore, there appears to be no attempt to verify whether the data entered by an unsuspecting user was accurate or not,” added Asrar and Shunichi Imano, also of Symantec.

NetflixMobile Malware App

We reached out to Symantec to get some insight on the impact of this mobile malware, and what malicious apps like this mean to users in general. In this case, the malicious fake Netflix app doesn’t appear to have infected many devices yet, but it could, and others like it could easily be propagated quickly via spam and other social engineering tactics.

Here’s what Liam O Murchu, Manager of Operations, Symantec Security Response had to say in response to SecurityWeek’s questions.

SecurityWeek: How are users infected with this malicious Netflix app?

Murchu: “A user would become infected by simply downloading and installing the malicious app. So, user interaction certainly would be required, but social engineering could come into play in order to convince the user that this is the legitimate version of Netflix’s app, as opposed to the malicious fake it is.”

SecurityWeek: Do you have any insight as to the size and scope of users who may have been infected? From what we have been able to gather the number of infections appears to be extremely limited.

Murchu: “We don’t have details as to the number of users who might have downloaded this app at this time, but it’s likely that infections are very limited at this point. What makes this threat interesting isn’t so much how widespread it is, but that it is a slightly different twist on Trojanized legitimate applications we traditional see targeting Android. These are legitimate apps that have been downloaded by attackers, repackaged with malicious code included and then re-released online. Such apps typically retain the legitimate apps functionality. With Android.Fakeneflic, the attacker hasn’t actually utilized the legitimate app, but has tried to spoof it. In addition, Android.Fakeneflic provides an example of what kind of scheme attackers could run with a fake mobile banking app, where instead of gathering somewhat innocuous login credentials, the thief could gather banking credentials or other sensitive financial information instead.”

More information is avaialble in a blog post from Symantec here.

On Demand Webcast: Protecting Corporate Data in Mobile Apps

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.