Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. If the user downloaded the fake application and unwittingly granted the malware the appropriate permissions, the malware is capable of automatically replying to victim’s’ incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more.
General
As the mobile threat landscape evolves, threat actors are always seeking to develop new techniques to evolve and successfully distribute malware. In this specific campaign, Check Point’s researchers discovered a new and innovative malicious threat on the Google Play app store which spreads itself via mobile users’ WhatsApp conversations, and can also send further malicious content via automated replies to incoming WhatsApp messages.
Researchers found the malware hidden within an app on Google Play called ’FlixOnline.’” The app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles. However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server.
