Security researchers have discovered new malware disguised as a Netflix application, designed to spread worm-like via victims’ WhatsApp messages.
Check Point discovered the wormable malware in an application on the Google Play Store called ‘FlixOnline’. It was designed to attract Android users by promising unlimited entertainment from anywhere in the world, using the Netflix logo to add legitimacy.
Once a victim installs the application, the malware will change permissions on their device to enable automatic responses to new WhatsApp notifications. Then it will send an automated reply to every message that user receives — encouraging them to visit a fake Netflix site designed to phish for log-ins and credit card details.
The WhatsApp message itself promises the recipient two months of Netflix Premium free of charge if they click on the malicious link.
Unfortunately, Check Point claimed the malware is likely to return in another guise.
“The malware’s technique is new and innovative, aiming to hijack users’ WhatsApp accounts by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager,” explained the security vendor’s manager of mobile intelligence, Aviran Hazum.
“The fact that the malware was able to be disguised so easily and ultimately bypass the Play Store’s protections raises some serious red flags. Although we stopped one campaign using this malware, the malware may return hidden in a different app.”
In this case, the offending FlixOnline app had only been downloaded around 500 times before Google removed it after being notified by Check Point.
However, the vendor urged users to download a security solution to their device, only install apps from official marketplaces and to keep all software up-to-date to stay safe online.
“Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups,” concluded Hazum.
“If you think you’re a victim, we recommend immediately removing the application from devices, and changing all passwords.”