Fake Netflix app hijacked WhatsApp messages to spread malware on Android phones

graphical user interface, application

© Provided by The Independent

A fraudulent Netflix app which took control of users’ WhatsApp accounts has been spreading on Google’s Play Store.

The “FlixOnline” app claimed that it would let users access Netflix content from multiple regions on their phones.

Instead, it monitored the users’ WhatsApp notifications, sending automatically replies to the users messages telling them to sign up for FlixOnline.

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE,” the message read, as discovered by Check Point Research (CPR).

Once a user had the app installed on their device, it could spread its malware further, steal data from WhatsApp and extort users by threatening to send sensitive data to all their contacts.

When the app was installed, users were asked for three types of permissions: screen overlay, battery optimisation ignore, and notifications. These allowed it to create a fake “login’ screen to steal credentials and allow it to reply to all incoming messages.

Gallery: The worst cases of cybercrime ever seen (Espresso)

a person looking at the camera: In 2003, a virus called the Slammer worm—created by unknown hackers who modified blueprints made by a British researcher—brought huge sectors of the internet to a halt. According to an oral history of the Slammer crisis in Wired, “emergency 911 dispatchers in suburban Seattle resorted to paper. Continental Airlines, unable to process tickets, canceled flights from its Newark hub.” Entire countries lost internet service. Five of the internet’s 13 root-name servers crashed. Web traffic had largely returned to normal two days later. “Machines infected by the worm swiftly spam the Net with randomly addressed traffic, hitting other vulnerable servers,” Wiredexplains. “As the number of computers spewing Slammer packets rises, the situation reaches critical mass, potentially creating a denial of service attack on all 4 billion IP addresses on the Net.” The “cleanup” cost businesses as much as US$1 billion and taught the world the importance of installing updates—a security patch released six months before the attack would have preventedSlammer infestation.

“After the permissions are granted, the malware displays a landing page it receives from the C&C [command and control] server and immediately hides its icon so the malware can’t be easily removed. This is done by a service that periodically contacts the C&C and updates the malware’s configuration accordingly,” Check Point Research explains.

A command and control server is a computer that issues directives to other devices which have been infected with malware.

“The service can achieve these goals by using multiple methods. For instance, the service can be triggered by the installation of the application and by an Alarm registered I the BOOT_COMPLETED action, which is called after the device has completed the boot process,” the researchers continue.

“The malware’s technique is new and innovative, aiming to hijack users’ WhatsApp account by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager,” Aviran Hazum,…