Humans are curious creatures. And one malware is taking advantage of that fact.
When dealing with something unknown, people tend to be very careful. But when dealing with something familiar, awareness goes down. This is exactly what the 'FlixOnline' app does, when it promised free Netflix subscription through WhatsApp Messages.
In a report, security firm Check Point Research found that the app was not only assumed the looks of Netflix to promise victims the ability to view content on Netflix for free, but also spread malware via messages in order to direct victims to a phishing website, where the malware authors can steal sensitive information, like username-password, and credit card details.
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw,” the ad for the app said.
When victims fell for it and install the FlixOnline, the app would ask among others, permissions for Overlay, Battery Optimization Ignore and Notifications.
Using these three permissions, the app could create a 'fake login screen' to steal user's credentials, run in the background with less chances being terminated, and peak into the notification on the device in order to quietly reply to messages on WhatsApp.
According to Aviran Hazum, Manager of Mobile Intelligence at Check Point Software, this app uses a novel method for spreading malware.
Check Point Research noted that "the malware is capable of automatically replying to victims’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users' WhatsApp accounts, and more."
For example. the malicious actors behind FlixOnLine could spread more malware from malicious links, collect data from users' WhatsApp accounts, send fake and malicious information to a victim's WhatsApp contact list, and extort money from victims by threatening them, and so forth.
FlixOnline app was available on Google Play Store for about two months, and had nearly 500 installs before Google removed it.
Even though Google has removed FlixOnLine, if people had previously installed it on their phone and didn't delete it, the app is still potentially creating damage. For WhatsApp users, the danger of installing FlixOnLine is apparent. The damage can be more apparent for users of WhatsApp for business.
In order to stop this malware, users "should remove the application from their device, and change their passwords," said Check Point Research.
Netflix is one of the most popular apps worldwide with hundreds of millions of subscribers around the world. By becoming a paying subscribers, users of Netflix are pampered with a large selection of movies, television shows and documentaries to stream over their devices.
It was 2010 when Netflix started streaming video to the Apple iPhone, and streaming to Android the following year. Netflix is so popular that it make sense some bad actors are using Netflix's brand to trick victims into installing its malware.
Hazum added that this incident also indicates the limitations of Google Play Store’s protections system.
It should be noted that apps and websites masquerading popular brands is not a new trend. Piggybacking on popular brands have been one of the many ways malicious actors use to spread malware.
But this FlixOnline app has an approach that is considered novel.