A malware that lured its victims with the promise of accessing Netflix content for free was discovered on Android. He was promptly overthrown by Google after complaint received from Check Point Research (CPR). The malware was disguised as an application in the Play Store.

Called FlixOnline, the fake app was downloaded about 500 times over two months of availability on Google's online store, claiming to make “unlimited entertainment” and “Netflix totally free” available. Once installed, it asked for three specific user permissions: overlapping others aplicativos, the ability to bypass battery management and optimization features, and finally access device notifications.


Read more:

Image capture from FlixOnline, a fake Android app that promised "Netflix for free", but was actually malware that stole private information
FlixOnline promised free access to Netflix content, but it was actually malware that stole private information from Android users. Image: CPR / Reproduction

The problem is that, given the permissions obtained, FlixOnline gained the ability to run on top of any other application installed on the smartphone, in order to steal access credentials. Let's say, for example, that after installing it, the user would open a portal with login and password instructions: the fake app would see the data entered.

The malware's actions did not stop at the promise of “Netflix for free”. FlixOnline also stole control of notifications, in order to execute automatic reply commands for messages received via WhatsApp. Without the user noticing, he delivered customized texts as responses to messages, directing his contacts to a fake page with accreditation information - to also steal data from anyone who came into contact with the victim.

The ability to ignore battery optimization commands, however, meant that it could not be terminated by any systemic force commands (such as closing apps with high power consumption), running continuously regardless of what the user did.

Malware can come back

"The [app's] technique was to steal the connection to WhatsApp to capture notifications, in addition to the ability to take predetermined actions, such as 'dismiss' or 'reply' messages by managing notifications," said Aviran Hazum, manager intelligence services from Check Point Research. "The fact that the malware was able to disguise itself so easily and bypass the protections implemented in the Play Store caused a lot of alarms."

CPR also pointed out that this Android malware "highlights [the need for] that users should be suspicious of links or attached files they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or groups of people."

Finally, the company even admitted that this may not be a unique case: “although CPR has helped to stop this malware campaign, we suspect that the identified family of malware is here to stay, and may return on other types of malware. apps within the Play Store ”.

The final CPR report includes hash samples and C2 server addresses, as well as damage indicators (IOC) to facilitate identification by technical professionals.

Source: Bleeping Computer