A new Android malware has been spotted on the Google Play Store, which could steal access to a user’s entire smartphone. Alarmingly, one of the key traits of the malware was to gain access to a user’s WhatsApp chats, and spread itself by auto-responding to incoming WhatsApp messages with further malware payloads. The tool was being spread using a rip-off version of Netflix, which claimed to offer two months of “premium” Netflix access for free. After being reported about the tool, Google removed the fraudulent ‘FlixOnline’ app from the Play Store – by which time it was already downloaded over 500 times.
While the figure of 500 downloads would not be much in its own scale, what’s critical to note is that the wormable Android malware could worm its way into exponentially spreading itself across devices. Once the FlixOnline app was downloaded to a device, it asked users to allow it to overlay or draw itself on top of other apps and notifications. This allowed it to load fraudulent login screens, which would then steal sensitive login credentials from a user’s device. It also asked users to allow the app to ignore battery optimisations, which allowed the app to prevent itself from being shut by Android’s battery and memory optimisation service.
Finally, the app took the ability to read notifications, using which it could then reply to any messaging service, and auto-reply to messages in order to spread itself to others’ devices. All of this allowed the Android malware to essentially take over entire devices, and communicate with a server through its installed backdoor to execute various tasks, as deemed fit by attackers. This includes stealing sensitive personal messages to hold users ransom, stealing login credentials of banking services, and other such critical data.
As the research blog by Check Point stated, “This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.” The app through which the malware payload was being spread has now been banned, but it remains to be seen if the tool returns through some other vehicle, at some point of time in the future.