“2 free months of Netflix premium”, the dangerous malware that travels on WhatsApp

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email
Share on whatsapp

The Check Point Research discovery. The malicious software promised to show the streaming platform, actually it monitored users’ WhatsApp notifications.

New malware on the Google Play Store has spread through WhatsApp. To find out that I was there once more Check Point Investigation (CPR), which explained how disguised as the Netflix app, the malware responds to incoming messages on behalf of users with a link related to the offer. “2 free months of Netflix Premium anywhere in the world for 60 days”. If successful, the malware allows it to perform a variety of malicious activities, including the theft of data and credentials.

The malware that promised 60 days of Netflix for free

The malware was designed to be “dewormed” – that is, to spread from one Android device to another after clicking on the link, downloading additional malware and thus setting off a worrying chain reaction. It could then perform a variety of malicious activities, such as spreading additional malware through malicious links, stealing WhatsApp account data and credentials, or sharing fake or dangerous messages with WhatsApp contacts and groups. Is that how it works:

  • the victim installs the malware from the Google Play Store, believing that he is downloading Netflix
  • the malware begins to “listen” for new notifications on WhatsApp
  • then reply to every WhatsApp message the victim receives with a preset reply
  • this “fake Netflix” app steals your credentials and credit card information

CPR found the hidden malware in an application on Google Play called “FlixOnline”. The app turned out to be a bogus service that promised users to watch Netflix content from around the world on their phones. Instead, however, the app was designed to monitor a user’s WhatsApp notifications, to send automatic responses to incoming messages, using content it receives from a remote server.

Malicious software removed by Google

CPR, as usual, has communicated its findings to Google. The malicious app was later removed, but over the course of two months, the “FlixOnline” app was downloaded about 500 times, probably causing a dangerous chain reaction.