FlixOnline: With more than 2,000 million active users per month, there is nothing better than WhatsApp to try to sneak scams and scams in terms of reach and possible victims, especially if they are sold with offers of free services that are usually paid. Netflix free for 2 months? It is such a good offer that it seems a lie, and in fact it is.
FlixOnline, malware by WhatsApp
As the mobile threat landscape evolves, threat actors are always looking to develop new techniques to evolve and successfully distribute malware. Check Point Research (CPR) has recently discovered a new malicious threat in the Google Play app store that spreads through WhatsApp conversations of mobile users, and which can also send more malicious content through automatic responses to incoming WhatsApp messages.
This method could allow a hacker to:
– Distribute phishing attacks
– Spread more malware
– Spread false information
– Steal credentials and data from the WhatsApp account
– Steal credentials and data from user chats
Netflix Premium free 2 months
Researchers found the malware hidden within an application on Google Play called ‘FlixOnline‘. The app is a bogus service that claims to allow users to watch Netflix content from around the world on their mobiles. But in reality, instead of allowing the mobile user to view Netflix content, the application is designed to “monitor the user’s WhatsApp notifications, and to send automatic responses to the user’s incoming messages using the content it receives from a user. remote command and control (C&C) server ”.
The malware sends the following message to its victims via WhatsApp, attracting them with the offer of a free Netflix service:
“2 Months of Netflix Premium Free for Quarantine Reason (VIRUS CORONA) * Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https: // bit [.] Ly / 3bDmzUw”.
When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Ignore Battery Optimization’ and ‘Notification’ permissions. The purpose behind obtaining these permits is:
– Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by the malware to create a fake “Login” screen for other applications, with the aim of stealing the victim’s credentials.
– Ignoring battery optimizations prevents malware from being shut down by the device’s battery optimization routine, even after being inactive for an extended period.
– The most prominent permission is access to notifications, more specifically, to the Notification Listener service. Once enabled, this permission gives the malware access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “discard” and “reply” to messages received on the device.
The threat is withdrawn
If these permissions are granted, the malware has everything it needs to start distributing its malicious payloads and responding to incoming WhatsApp messages with auto-generated responses. In theory, through these self-generated responses, a hacker can steal data, cause disruptions in work-related chat groups, and even extort money by sending sensitive data to all of the user’s contacts.
Check Point notified Google of the malicious app and the details of its investigation, and Google promptly removed the app from the Play Store. But this did not prevent that “in the course of 2 months, the” FlixOnline “application was downloaded approximately 500 times”, which represents 500 potential victims.
According to CPR experts, “This malware for Android, which can be turned into a worm, presents innovative and dangerous new techniques to spread, and to manipulate or steal data from trusted applications such as WhatsApp.
For this reason, users should be wary of download links or attachments they receive through WhatsApp or other messaging applications, even when they appear to come from trusted messaging contacts or groups ”.