Android malware disguised as Netflix spotted on Google Play Store

FlixOnline, an app that was available on the Google Play Store, has been discovered to be malware that targets the WhatsApp messaging application. The malware, disguised as an app that gives a free Netflix subscription, can send automatic replies to WhatsApp messages, putting other users in danger of phishing and other types of attacks.

 

The FlixOnline app was available on the Google Play Store for some time

Researchers at Check Point Research (CPR) discovered a new malware threat that infects users’ Android devices via an app available on Google’s Play Store. The malware was hidden in FlixOnline, an app that will supposedly give users access to Netflix and its content for free. Once a user downloads the malware onto their device, it essentially spies on WhatsApp conversations and sends a malspam message to all contacts via the messaging app.

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days,” is the message sent to all WhatsApp contacts of the infected user, proceeded with a link. Clicking on the link would lead a user to a fake Netflix website where they would be asked to provide their payment card information. Users, thinking they would get 2 months of free Netflix would provide their details, which then would be sent to the cybercriminals operating this malware. The message sent to users may be different in some cases, as it depends on what content the malware receives from a remote command and control (C&C) server.

According to Check Point researchers, by utilizing this technique malicious actors may be able to perform a wide range of malicious activities, including further malware distribution via malicious links, theft of data from WhatsApp accounts, spam to infected users’ WhatsApp contacts, extortion by threatening to send stolen WhatsApp data and conversations to contacts.

FlixOnline requests various permissions upon installation

Check Point’s technical analysis reveals that the malware, once installed, will request “Overlay”, “Battery Optimization Ignore” and “Notifications” permissions. The “Overlay” permission would allow the malware to display a fake login window when users access apps, with the intention of stealing login credentials. “Battery Optimization Ignore” permission would prevent the malware from being shut down by the device’s battery optimization routine. And the “Notifications” permission would allow the malware access to all message-related notifications and permit it to dismiss or reply to the received messages. Once fully initiated, the malware then hides its icon to prevent easy removal. From then on, it will intercept any WhatsApp messages an infected device receives and automatically reply to them with a malicious message, such as the one mentioned above.

Check Point Research notified Google of their findings, and the app has since been removed from the Google Play Store. FlixOnline is believed to have been downloaded by around 500 users before it was removed.

This is not the first time malware was able to bypass Google’s security measures for the Play Store, and it won’t be the last. Nonetheless, the Play Store is still the safest source to download apps from. Third-party app stores will not have better security measures than Google, so the chances of encountering a malicious app are many times higher on third-party app stores. But because malicious apps can sometimes bypass Google’s security, it’s important to not blindly download apps.

First of all, when an app sounds too good to be true, it is. FlixOnline claimed to give users access to Netflix, a paid subscription service, for free. A classic example of too good to be true. Users should also always carefully check the developer. Lastly, users should be very suspicious when an app requests permissions that it should not need to work. It’s possible to review the permissions it will request before downloading an app, and that’s one of the things users should pay close attention to.