Android Malware Detected on Google Play That Spreads Via WhatsApp
A new Android malware was discovered that existed as an app on Google Play and is claimed to spread via WhatsApp conversations. Called FlixOnline, the app was intended to allow users to view global Netflix content. However, it was designed to monitor the user’s WhatsApp notifications and send automatic replies to their incoming messages with the content they receive from the hacker. Google immediately removed the app from the Play Store after it contacted the company. However, it was downloaded hundreds of times before being removed.
Researchers at threat intelligence firm Check Point Research discovered the FlixOnline app on Google Play. When the application is downloaded from the Play Store and installed, the underlying malware starts a service that requests “Overlay”, “Ignore battery optimization” and “Notification” permissions, the researchers said in a press release.
The purpose of obtaining those permissions is believed to allow the malicious app to create new windows on top of other apps, prevent malware from being shut down by the device’s battery optimization routine, and gain access to all notifications.
Instead of enabling any legitimate service, the FlixOnline app monitors the user’s WhatsApp notifications and sends an auto-reply message to all WhatsApp conversations that lures victims with free access to Netflix. The message also contains a link that could allow hackers to obtain user information.
“Deworming” malware, meaning it can spread itself, could spread further through malicious links, and even extort money from users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.
Check Point Research notified Google of the existence of the FlixOnline application and the details of its investigation. Google quickly removed the app from the Play Store upon receiving the details. However, the researchers found that the app was downloaded nearly 500 times over the course of two months before it went offline.
The researchers also believe that while the particular app in question was removed from Google Play after it was reported, the malware could make a comeback via another similar app in the future.
“The fact that malware was so easily disguised and ultimately bypassed Play Store protections raises some red flags. Although we stopped a campaign of the malware, the malware family is likely here to stay. Malware can come back hidden in a different application, ”said Aviran Hazum, Mobile Intelligence Manager at Check Point, in a prepared quote.
Affected users are advised to remove the malicious app from their device and change their passwords.
It is important to note that while the malware variant available through the FlixOnline application was designed to spread via WhatsApp, the instant messaging application does not include any particular loopholes that would allow malicious content to circulate. Instead, the researchers found that it was Google Play that couldn’t restrict access to the app at first glance, despite using a combination of automated tools and preloaded protections, including Play Protect.
She is a freelance blogger, writer, and speaker, and writes for various entertainment magazines.