A malware bug is masquerading as a Netflix app on the Google Play Store, according to investigators from cybersecurity firm Check Point Research. Once this faux Netflix app is installed, the malicious software wrecks havoc on users' WhatsApp messages.
Hold on to your hats — it gets worse. Once the malware slithers into your WhatsApp, it messages your contacts in order to steal their private data for nefarious purposes.
- Malicious VPNs found on Google Play Store — delete these Android apps now
- Android 'System Update' malware can access your WhatsApp messages — beware of this app
- Best VPN services 2021
Flixonline is not legit — it's a malware app disguising itself as Netflix
Check Point Research investigators discovered a malicious app on the Google Play Store called "FlixOnline," which uses Netflix's logo to lure users into downloading it. The deceptive app promises users unlimited entertainment from anywhere in the world, but behind all the smoke and mirrors lies a wormable bug.
"Wormable" means that this malicious bug is designed to hop from one device to another, spreading like wildfire throughout the Android ecosystem. How is this FlixOnline bug wormable? Well, once it is installed, the malware "listens" for new notifications from WhatsApp. It then responds to every WhatsApp message with a canned response crafted by malicious actors.
Here is the script that was sent to victims' contacts: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [link redacted].”
The message is meant to lure unsuspecting victims to click on the link, which would lead them to a fake Netflix phishing website. The purpose of this phony website is to bait victims into submitting their credentials and credit card information. The link also entices targets to download malicious software, which is why it's considered wormable — it could start a chain of malicious downloads from one Android user to another.
“The malware’s technique is fairly new and innovative. The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager," said Aviran Hazum, Manager of Mobile Intelligence at Check Point.
Hazum added that it was concerning that FlixOnline was able to bypass the Google Play Store's security verification process. Google Play Protect is Android's built-in anti-malware tool that is supposed to protect devices from installing malicious apps, but as TechRadar mentioned, it performed miserably during Android protection tests. TechRadar challenged Play Protect to detect a slew of malware, but it only detected 37% of them.
Thankfully, after Check Point Research disclosed its findings to Google, FlixOnline was taken down by the search-engine giant. However, Hazum warned that it's possible that this malware application could pop up with different app name.
How to protect yourself from wormable bugs like the FlixOnline app
Hazum advises mobile users to be wary of download links and attachments that they receive from WhatsApp and other messaging apps — even when the messages supposedly come from trusted contacts. "If you think you’re a victim, I would immediately remove the application from my device, and proceed to change all my passwords," Hazum said.
Check Point Research recommends that users install a security solution on their devices, only download applications from official markets, and ensure apps and devices are up to date.