Despite Google's efforts to combat malware on Android, every now and then a new threat slips through the cracks. Researchers at Check Point Research have shared details (via ZDNet) on a threat that could have lured Android users with the promise of free access to Netflix content and spread through WhatsApp.
As noted in the company's blog post, the malware lives in an app called FlixOnline, which was available on the Play Store and promised users the ability to watch Netflix content from all over the world. However, instead of doing that, the app requests a handful of permissions that enable it to steal user data and spread to other users more easily. Once all permissions were granted, the app hid itself from the app launcher so it would be harder to delete.
Upon being installed, the app requests a few special permissions - displaying over other apps, ignore battery optimizations, and notification access. Displaying over other apps means the app can disguise itself and display a fake login screen on top of other apps, leading users to enter their personal information and sending it to the attackers. Meanwhile, ignoring battery optimizations means the app won't be killed in the background, so it can stay active even if it's been idle for a while.
Notification access is potentially the most concerning one. For one thing, the app can harvest information from the user's notifications, including messages they receive. Not only that, the app can perform quick actions on those notifications, like replying to messages on WhatsApp, which is exactly what it does to spread to other users. Whenever the affected user gets a notification from WhatsApp, the fake app hides it and sends a reply promising two months of free Netflix access with a download link that installs the malware on that device as well.
Check Point Research reported the malware to Google prior to disclosing the vulnerability and the FlixOnline app was removed from the Play Store quickly. However, roughly 500 users downloaded the app over two months, which could have spread the malware to many other users through WhatsApp. Anyone who has been affected should uninstall the app from the device settings and change their passwords.