WhatsApp-based wormable Android malware spotted on the Google Play Store

Cybersecurity researchers have learned yet another piece of wormable Android malware—but this time downloadable instantly from the official Google Perform Store—that’s capable of propagating through WhatsApp messages.

Disguised as a rogue Netflix app below the title of “FlixOnline,” the malware comes with capabilities that make it possible for it to quickly reply to a victim’s incoming WhatsApp messages with a payload gained from a command-and-handle (C&C) server.

“The application is really created to observe the user’s WhatsApp notifications, and to send computerized replies to the user’s incoming messages making use of content that it gets from a distant C&C server,” Check out Point researchers claimed in an assessment released now.

password auditor

Moreover masquerading as a Netflix application, the malicious “FlixOnline” application also requests intrusive permissions that allow it to develop fake Login screens for other apps, with the target of thieving credentials and achieve entry to all notifications gained on the system, working with it to hide WhatsApp notifications from the consumer and quickly reply with a specifically-crafted payload been given from the C&C server.

“The malware’s system is quite new and impressive,” explained Aviran Hazum, supervisor of mobile intelligence at Examine Place. “The system right here is to hijack the link to WhatsApp by capturing notifications, alongside with the capacity to consider predefined steps, like ‘dismiss’ or ‘reply’ by using the Notification Manager.”


A thriving an infection could permit the malware to spread further by using destructive back links, steal knowledge from users’ WhatsApp accounts, propagate destructive messages to users’ WhatsApp contacts and groups, and even extort end users by threatening to leak delicate WhatsApp details or conversations.

The application has considering that been purged from the Play Retail outlet, but not right before attracting a whole of 500 downloads above the study course of two months.

FlixOnline also marks the 2nd time a destructive app has been caught using WhatsApp to spread the malware. In January 2021, ESET researcher Lukas Stefanko disclosed a faux Huawei Cell application that used the identical modus operandi to accomplish the wormable assault.

password auditor

What is additional, the information displayed to consumers on opening the apps is the exact — “We need to have your authorization to accessibility the application. It will support app (sic) to provide far better operation” — suggesting the two applications could either be the operate of the very same attacker or that the authors of FlixOnline drew inspiration from the Huawei Mobile application.

“The actuality that the malware was equipped to be disguised so simply and eventually bypass Enjoy Store’s protections raises some major crimson flags,” Hazum explained. “Though we stopped 1 campaign of the malware, the malware household is very likely here to keep. The malware may possibly return concealed in a distinct application.”

“Users should be wary of download backlinks or attachments that they obtain by means of WhatsApp or other messaging apps, even when they surface to arrive from reliable contacts or messaging groups,” Hazum added.

Fibo Quantum