A virus that simulates the Netflix app on Android

As the landscape of cyber attacks on mobile devices evolves, cybercriminals are always looking to develop new techniques to successfully transform and distribute malicious programs. This time it has not detected the malware Google Play or anything related to the company of Mountain view. The person in charge on this occasion has been Check Point Research researchers, a global cybersecurity specialist provider, who has tracked down this malicious virus and focused on releasing it as soon as possible to reduce the impact.

What is this virus in the FlixOnline app?

It is a new malicious threat in Google Play Store that spread through WhatsApp messages. The malware was designed with the ability to automatically reply to incoming messages with messages from a remote server on behalf of its victims. Interestingly, the malicious software was found hidden in a rogue application of «Netflix» in the Play Store called FlixOnline, which promised «unlimited entertainment» from any part of the world.

By responding to incoming WhatsApp messages with a payload from a command and control server, this method could allow cybercriminals to distribute attacks from phishing, one of the most dangerous and used cyber scam methods today.

They serve to spread additional malware and spread false information or steal credentials and bank details, as well as having access to user conversations. They can also spread false or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups). All this with just one click.

How the fake »Netflix» malware works

When the application is downloaded from the Play Store and installed, it requests ‘Overlay’ permissions, to ‘Ignore Battery Optimization’ and ‘Notification’. The purpose behind obtaining such permits is:

1. Overlay allows a malicious application to create new windows on top of other applications. It is often requested by malicious software to create a fake “Login” screen for other applications, in order to steal the victim’s credentials.
2. Ignoring battery optimizations prevents malware from being shut down by its own routine, even after being idle for an extended period.
3. The most prominent permission is access to notifications, more specifically, to the service Notification Listener. Once enabled, this permission gives the malware access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “discard” and “reply” to them.

If these permissions are granted, the malware has everything it needs to start distributing its malicious payloads and emitting auto-generated responses to incoming WhatsApp messages, through which it is possible to steal data, disrupt chat groups, and even extort money. sending sensitive data to any contact on the agenda. It must be said that the app is no longer available on Google Play, which is a relief for new downloads.