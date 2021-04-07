



A new variant of Android malware has been discovered in the Google Play app that attracts users by promising a free Netflix subscription.

Check Point Research (CPR) announced on Wednesday that “wormable” mobile malware was found in the Google Play store, the official repository for Android apps. Malicious software called “Flix Online” impersonates a legitimate Netflix application and appears to be focused on targeting WhatsApp messaging applications.

The ongoing COVID-19 pandemic forced many of us to stay home for extended periods of time, closing stores, closing bars, and restricting outings, so we turned our attention to streaming services to spend time. I did. By the end of 2020, the number of paid Netflix subscribers exceeded 200 million, most likely due to COVID-19, and malware operators decided to jump into this trend.

The fraudulent app has promised global “unlimited entertainment” and a two-month premium Netflix subscription for free for the pandemic.

However, once downloaded, the malware “listens” to WhatsApp conversations and automatically responds to incoming messages containing malicious content.

During installation, the app requires overlay permissions (a common element of service credential theft) and battery optimization ignore, which stops the device from automatically closing the software to save power. In addition, FlixOnline requires notification permissions that allow malware to access notifications related to WhatsApp communications and the ability to “reject” or “reply” messages.

Automatic responses to WhatsApp messages include the following sent to the victim’s contacts:

“Two Months of Netflix Premium Free Free Quarantine Reasons (Coronavirus) * Get Two Months of Netflix Premium Free for 60 Days Anywhere in the World. Get Now https: // bit[.]ly / 3bDmzUw. ”

According to researchers, the malware has the ability to spread further through malicious links, steal WhatsApp conversation data and spread false information and harmful content through messaging services when installed on Android devices. ..

The malicious link used in this campaign sends the victim to a fake Netflix website that attempts to obtain the user’s credit card information and credentials. However, this message is fetched from the Command and Control (C2) server, which could allow other campaigns to link to various phishing websites or malware payloads.

FlixOnline claims about 500 casualties for about two months before detection, and malware could reappear.

CPR notified Google of the findings and the app was removed from the Play Store. WhatsApp also recognized the campaign as a courtesy, but no action was required as there were no exploitable vulnerabilities or issues that the malware would use to propagate through the messaging app.

