Cybersecurity researchers have discovered yet another piece of wormable Android malware—but this time downloadable directly from the official Google Play Store—that’s capable of propagating via WhatsApp messages.
Disguised as a rogue Netflix app under the name of “FlixOnline,” the malware comes with features that allow it to automatically reply to a victim’s incoming WhatsApp messages with a payload received from a command-and-control (C&C) server.
“The application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote C&C server,” Check Point researchers said in an analysis published today.
Besides masquerading as a Netflix app, the malicious “FlixOnline” app also requests intrusive permissions that allow it to create fake Login screens for other apps, with the goal of stealing credentials and gain access to all notifications received on the device, using it to hide WhatsApp notifications from the user and automatically reply with a specially-crafted payload received from the C&C server.
“The malware’s technique is fairly new and innovative,” said Aviran Hazum, manager of mobile intelligence at Check Point. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager.”
images from Hacker News