A new wormable Android Malware Spreads by auto-replying to WhatsApp messages

Overview

Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that can be spread via users’ WhatsApp messages. Once the user downloads the fake application and grants it the proper permissions, the malware becomes operational. It automatically replies to the user’s WhatsApp message with a payload to download the same infected application.

General

Researchers have found malware hidden in an app on Google Play called ‘FlixOnline’. The app claims that users can access Netflix and Amazon Prime content for free, as well as watch all movies and series. Similarly, we found an APK called “LiveStream” that offers the same and also performs similar actions such as Automatic replies to WhatsApp messages with payloads.

FlixOnline App on Play Store

FlixOnline App on Play Store

‘Live Stream App Watch all Movies, Series, Seasons, Live IPL Cricket Matches, and more in Ultra HD quality on mobile.No more paying for Netflix, or Amazon Prime. Download and enjoy this free live streaming app http://profilelist.xyz/?livestream" This is a message automatically generated by the apk.

Intruders can use this technique to perform a variety of malicious activities, including For example:

Spread more malware through malicious links.

data theft from WhatsApp accounts and other user accounts.

Threatens to send sensitive WhatsApp data or uses other blackmail tactics to blackmail users.

After downloading and installing the application from the Play Store, the malware starts a service that requests “Overlay”, “Ignore Battery Optimization” and “Notification” permissions.

The purpose of obtaining these permissions is to:

Overlays allow malicious applications to create new windows on top of other applications. This is commonly requested by malware to create fake “login screens” for other apps with the goal of stealing the victim’s credentials.

Ignore Battery Optimization prevents malware from being shut down by the device’s battery optimization routines even if the device has not been used for a long time.

The best-known permission is Notification Access, more specifically Notification Listener Service. Enabling this permission allows the malware to access all notifications related to messages sent to the device and automatically perform certain actions such as ‘close’ or ‘reply’ on messages received on the device. can be executed.

FlixOnline app asking for permissions

Check Point Research was responsible for informing Google of the malicious application and details of its investigation, and Google immediately removed the application from the Play Store. The FlixOnline app has been removed from the Play Store, but the LiveStream apk is still working. Today I personally witnessed two similar cases.

Payload forwarded by liverstream app looks like..

Conclusion

If you accidentally installed the application, uninstall it immediately and factory reset your device.

Further Protection from such Threats:

• One should install applications only from the official sites.
• One should not click on links forwarded on social media such as offering gift vouchers, Friendship tester, etc.
• Never grant permissions to any app which isn’t required. For example, applications such as Google Meet, zoom requires camera access, so you can grant camera access to these applications.
• Never fall into such traps by visiting malicious websites and installing malicious apks.

Stay Safe, Stay Protected.

By Alfiya Shaikh