Google has removed an app from the Play Store that worked as a fake Netflix app that spreads malware through WhatsApp. The app automatically responds to WhatsApp messages to send contacts weaponized links.
The security firm Check Point Research recently found an app called FlixOnline. The app looked like Netflix and promised to deliver a two-month subscription through WhatsApp messages. The link in the messages sent users to a website designed to capture their credit card information and other details.
FlixOnline asked for three permissions when downloaded – screen overlay, notifications, and battery optimization ignore. Screen overlay requests are commonly used by malware to create fake login screens and capture user credentials by placing different windows over existing apps.
The app then “listened” for WhatsApp notifications and automatically responded to them with a message that read something like this:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw”.
The link, when accessed, took users to a phishing page designed to steal their information.
Aviran Hazum, the Manager of Mobile Intelligence with Check Point Software, said that this was a novel way of spreading malware. Hazum warns that the app could return in another form, warning users to keep an eye out. The malware may return hidden inside a different app.
Hazum also noted the incident was a sign of the limitations of the in-built protections of the Google Play Store. The store didn’t detect the malware and there could be other malware on the store. Another notable tidbit from this story is that WhatsApp had no protections in place to prevent this happening.
FlixOnline stayed on the store for two months and had roughly 500 installs before being removed.