A new wormable Android Malware Spreads by auto-replying to WhatsApp messages

Overview

Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is capable of spreading itself via user’s WhatsApp messages. If the user downloads the fake application and provides appropriate permissions then the malware becomes operational. It replies to user’s WhatsApp messages automatically with a payload to download the same infected application.

General

Researchers found the malware hidden within an app on Google Play called ‘FlixOnline’. The app claims to allow users to access Netflix, Amazon Prime contents and watch all movies and series for free. Similarly an apk is found named “LiveStream” offering same and also performs similar actions i.e auto-replying WhatsApp messages with a payload.

FlixOnline App on Play Store

“Live Stream App Watch All Movie, Series,Season In Ultra HD Quality On Your Mobile, Live IPL Cricket Matches and Much More. Now you dont need to pay netflix, Amazon Prime Just Download this Free Live Streaming App and enjoy. http://profilelist.xyz/?livestream” This is the message auto-generated by the apk.

By employing this technique, an invader could perform a wide range of malicious activities such as:

  • Spread further malware via malicious links.
  • Stealing data from user’s WhatsApp accounts and any other.
  • Extort users by threatening to send sensitive WhatsApp data or other blackmailing strategies
  • Spreading fake or malicious messages to users’ WhatsApp contacts and groups .

When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these permissions is:

  • Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s credentials.
  • Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period.
  • The most prominent permission is the Notification access, more specifically, the Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.
FlixOnline app asking for permissions

Check Point Research responsibly notified Google about the malicious application and the details of its research, and Google quickly removed the application from the Play Store. Though the FlixOnline app is removed from Play Store, the LiveStream apk is still in action. I had personally witnessed two similar cases today itself.

Payload forwarded by liverstream app looks-like..

Conclusion

If you have mistakenly installed the application, immediately uninstall it and factory reset your device.

Further Protection from such Threats:

  • One should install applications only from the official sites.
  • One should not click on links forwarded on social media such as offering gift vouchers, Friendship tester, etc.
  • Never grant permissions to any app which isn’t required. For example, applications such as Google Meet, zoom requires camera access, so you can grant camera access to these applications.
  • Never fall in such traps by visiting malicious websites and installing malicious apks.

Stay Safe, Stay Protected.

By Alfiya Shaikh

CyberSecurity enthusiast, learner.