If you were trying to design Android malware in such a way that the appearance ensured it mimicked one of the most popular smartphone apps in existence in order to ensnare the biggest number of people possible, you could probably do worse than borrowing the branding of the Netflix app.
That’s what the makers of a newly discovered Android malware app called FlixOnline decided to do. Found by a team at Check Point Research, this app has been lurking in the Google Play Store, used Netflix imagery to suck people in, and promised to allow users to view Netflix content from all around the world on their smartphones. Instead, according to a summary of the Check Point Research findings published on Wednesday, if a user ended up downloading this application and “unwittingly” granted it the appropriate permissions, “the malware is capable of automatically replying to victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.”
Apparently, this malware would also attempt to replicate itself by sending out messages to the victim’s WhatsApp contacts that looked absolutely nothing like what a normal person would text their friends. That message reads — “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE.”
If you clicked the link at the end of that sentence, which I’ve not included above for obvious reasons, the Check Point team says that the attackers behind this could have:
- Spread further malware via malicious links;
- Stolen data from users’ WhatsApp accounts;
- Spread fake or malicious messages to users’ WhatsApp contacts and groups, like work-related groups;
- Or extorted users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.
Not many people seem to have fallen for this app scam before Google took it offline. Over the course of 2 months, while the FlixOnline app was available in the Google Play Store, it was downloaded about 500 times before Google removed it upon being notified by Check Point Research. Just because Google removed it from its own app store, however, doesn’t mean users are automatically in the clear — they’ll also need to delete it from their own device if they happen to be one of those 500.
In the meantime, check out some of our earlier coverage regarding malware apps and other sketchy Android applications that have been booted out of the Google Play Store but that could still be fooling unsuspecting victims who may not yet have deleted the apps from their phones. Apps like this fake malicious Clubhouse app; these Android apps that can steal your bank details and take over your phone; and these Android and iOS apps that can drain your bank accounts, steal your login credentials, and other such mischief.