WhatsApp is having issues after issues, and things aren't looking good for the popular messaging app from Facebook.
After announcing announced a planned privacy policy change, mass exodus started to happen, with people moving away from WhatsApp to competitors.
WhatsApp tried to explain itself, but many people don't really much care.
And this time, researchers from ESET found an Android malware that happens to be propagating itself through WhatsApp messages to other contacts, in order to spread what appears to be an adware campaign.
"This malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app," tweeted ESET researcher Lukas Stefanko.
Android WhatsApp Worm?
Malware spreads via victim's WhatsApp by automatically replying to any received WhatsApp message notification with a link to malicious Huawei Mobile app.
Message is sent only once per hour to the same contact.
It looks to be adware or subscription scam. https://t.co/NYbh2A9Y6M pic.twitter.com/2tFgLyG94O— Lukas Stefanko (@LukasStefanko) January 21, 2021
When the link is clicked, it will redirect victims to a fake Huawei Mobile app in a lookalike Google Play Store website.
If victims installed the malicious app, the app will start by asking victims to grant it notification access, which will then be used to carry out the wormable attack on the victims' phone.
What this malicious app does, is abusing WhatApp's quick reply, a feature that is often used by users to respond to incoming messages directly from the notifications. But in this case, the app will use the permission it was granted, to automatically send out a reply to a received message.
Besides requesting permissions to read notifications, the malicious app also requests intrusive access so it can run in the background, and making things worse, it also asks permission to draw over other apps
What this means, the app that runs in the background can detect whether a form is shown on screen by other apps, and put an overlay on top of the window on the victims' device with its own window, in order to steal credentials and other sensitive information.
According to Stefanko, the goal is steal data, and to trick users into falling for an adware or subscription scam.
"Currently, the app seems mainly to be used in an adware or subscription scam campaign, although it could be used to do worse," wrote ESET in a blog post.
This fake Huawei Mobile app when it was found by Stefanko, is only capable of sending automatic replies to WhatsApp contacts.
But because the app can abuse the access notification permission it is granted, the developers behind the app could potentially extend the app's ability to also include other apps that support Android's quick reply functionality.
It should be noted here that the app only send automatic relies once per hour to the same contact.
The content of the message, and the link, are all fetched from a remote server. This raises the alarm, suggesting that the malicious actors behind the app could be planning, or already distributing the campaign across websites or other apps.
"I don't remember reading and analyzing any Android malware having such functionality to spread itself via whatsapp messages," Stefanko said, adding that because it's a wormable malware, it has the ability to spread to other devices pretty quickly.
"I would say it could be via SMS, mail, social media, channels/chat groups etc," Stefanko said.
This is again showing the reason why users should always stick to trusted sources when downloading third-party apps, and always verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.
"To protect yourself, the best course of action would be to avoid clicking on any suspicious links, only download apps from Google Play, and use a reputable security solution," ended ESET.