cybersecurity Scams

How a fake Netflix app stole WhatsApp messages and spread malware

FlixOnline was a fake app that spread malware and fake messages to WhatsApp contacts and groups, and extorted Android users with the threat of publishing sensitive information.

Messaging is one of the things that makes your smartphone one of your most important – and private – possessions. If you doubt that, give your unlocked phone, complete with WhatsApp access, to a friend or family member and leave the room. Assuming you get that far, how long before you start feeling anxious? Now imagine giving it to someone on the other side of the planet whom you’ve never met.

That’s precisely what you’d have done if you’d installed FlixOnline, an app distributed via the Google Play store. The app offered two months’ free Netflix access for free. If that seems suspicious to you, your instincts would be right.

FlixOnline was a fake app harbouring malware. That didn’t stop 500 people from installing it in just two months, though. One of them could have been an employee of yours.

Fake app infected phone contacts to deliver viruses

In an analysis of FlixOnline, researchers at cybersecurity company Check Point found it targeting WhatsApp to infect their victims’ contacts. The Facebook-owned messaging app is widely used and trusted by millions of people around the world, making it an idea delivery system for malware.

The malware takes control of the victim’s Android phone in several ways. First, it requests the user’s permission to access three services: overlay, battery optimisation, and notifications. Most users wouldn’t think twice when granting these, which is one of the biggest problems with smartphone security in general.

Overlay access enables the malware to display new windows on top of other applications, while battery optimisation access lets it keep running while idle. The really important service is notifications, which lets the malware listen to any notifications related to messages on the phone – including WhatsApp.

If the malware notices a notification from WhatsApp, it reads the content of the message and then kills the notification so that the user doesn’t notice it. Then, it sends a reply from the malware authors’ server.

Check Point’s researchers intercepted this message:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE ( URL redacted).”

What is it with online ne’er-do-wells and terrible grammar? In spite of the dodgy language and inappropriate capitalisation, it’s entirely possible that some less tech-savvy users might not smell a rat. Those without the necessary spidey-senses will follow the link and install the app, no doubt heartened by the fact that it’s listed in the official Google Play store.

The infection is only part of the payload, of course. Although the cyber criminals’ ultimate aim is still unclear, someone using malware to read your WhatsApp conversations effectively owns anything that’s said.

The researchers point out that they could use a victim’s WhatsApp accounts to spread fake messages to their contacts, or even extort them by threatening to forward the content of sensitive conversations to all and sundry. At the very least, they could use the infected phones as platforms to spread other malware.

Businesses should care about employee mobile devices

This kind of thing should be a worry for employers, especially during and after the COVID-19 pandemic. Not only are more workers using their personal devices to access company data and services, but they’re also stuck at home with fewer entertainment options on their hands.

Many might be tempted by an offer of free online entertainment and take the bait. If this Netflix scam didn’t snag them, who’s to say that the next one won’t? And the fact it was on the Google Play store means that it bypassed conventional protections.

This is why Traced is such a valuable asset for companies seeking protection for employees. It goes a step further than other mobile security platforms by diving deep into smartphone app behaviour.

Our service watches for suspicious app activities and gives you a complete report. This includes permission abuse. Even if a user has granted permissions to an app, we will warn if it appears to be misusing them. We’re an extra layer of protection that will make your employees – and therefore your data – safer. That’s truly something to message home about.