Fake Netflix app on Play Store caught hijacking WhatsApp sessions

Google has removed FlixOnline, a fake Netflix app for deploying wormable malware targeting WhatsApp users to spread itself.

The primary aim behind the new malware campaign detected by Check Point Research (CPR) is to hijack Whatsapp chat sessions. In a rather innovative technique, the attackers use a new Android malware variant delivered to mobile phones through a fake Netflix app, which was available on Google Play Store.

The app lured users by promising free Netflix Premium subscriptions. However, the app deploys wormable mobile malware.

SEE: Play Store malware disables Play Protect to evade detection

The app called FlixOnline was on Google Play Store for about two months and was downloaded nearly 500 times before Google officially removed it. Researchers claim that the app focuses on targeting the Whatsapp application.

Malware Capabilities

Research revealed that the malware can capture WhatsApp notifications and take several predefined actions, such as Dismiss or Reply through the Notification Manager.

After FlixOnline gets installed on a device, it asks for overlay permissions, which is a common trick to steal service credentials. It also asks for Battery Optimization Ignore, which prevents a device from auto shut off software to save power.

Additionally, the app asks for notification permissions to access WhatsApp-related communications. According to researchers, it lures users by offering a free Netflix premium subscription for two months with this message.

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https:// bit[.]ly/***mzUw.”

When the unsuspecting user visits this link, which appears to be a fake Netflix website, it asks for their Netflix credentials and payment data such as credit card number. The information is then transmitted to a Command and Control server.

Fake Netflix app on Play Store caught hijacking WhatsApp sessions

On the left fake Netflix app while on right the fake app asks for permission from its victims. (Image credit: Checkpoint)

Google’s Shortcomings Exposed

It is concerning that the malware was able to bypass Google Play Store’sStore’s app authentication system. Moreover, this campaign has exposed the various inherent limitations in Google Play Store’s built-in protection measures.

Google’s inability to detect the malware in the Netflix app is an issue of concern for the tech community because this campaign could be successful only due to Play Store’s failure to detect malware since there wasn’t any vulnerability detected in WhatsApp.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.


Source: HackRead

Leave a Reply