Check Point Research (CPR) on Wednesday, 7 April, revealed that a fake service app on Google Play Store named 'FlixOnline' distributed the malware to its smartphone users via malicious auto-replies to incoming WhatsApp messages, using payloads received from a remote command and control (C&C) server.
This app offers free Netflix services to users on their smartphones, while monitoring their WhatsApp notifications and sending automatic replies to incoming messages.
By replying to incoming WhatsApp messages, this method could enable a hacker to distribute phishing attacks, spread further malware, or spread false information or steal credentials and data from users' WhatsApp account and conversations, researchers warned.
They further said that, "This 'wormable' Android malware features innovative and dangerous new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp."
How it Works
After the download and installation of 'FlixOnline' application from the Google Play Store the malware starts a service that requests 'Overlay', 'Battery Optimisation Ignore', and 'Notification' permissions.
If the user grants these permissions, the malware then has everything it needs to start distributing its malicious payloads, and responding to incoming WhatsApp messages with auto-generated replies, reported IANS.
Google removed the app from play store after they were informed about it.
"If a user was infected, they should remove the application from their device, and change their passwords," the researchers said.
(With inputs from IANS)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)