One must always be careful with what one can find within conversations within WhatsApp, even if it comes from individual messages from the best possible friends, because they cannot always be legitimate content, since such contacts may have been victims of the spread of a malware attack.
In this sense, researchers from the security firm Check Point Research (CPR) now put on notice that there came into being a mobile application for Android devices, already withdrawn from the Google Play Store, which encouraged WhatsApp users’ contacts to install it with the claim of offering two months free of Netflix subscription anywhere of the world.
The application, called FlixOnline, also showed the logo and screenshots of the original application of Netflix.c as we see in the upper image shared by the researchers in their statement.
But far from fulfilling what it promises, the application actually contained a malware that started a service that requested the “Overlay”, “Ignore battery optimization” and “Notification” permissions, to later monitor WhatsApp notifications and launch automatic responses to incoming messages from the affected user, using the content it receives from a remote command and control server.
In this way, the malware was distributed through WhatsApp conversations showing the following claim to continue expanding among more users:
2 months of free Netflix Premium at no cost FOR QUARANTINE REASON (CORONA VIRUS) * Get 2 months of Netflix Premium free anywhere in the world for 60 days. Get it now HERE https: // bit [.] Ly / 3bDmzUw
According to the security firm, this malware opens the doors to the spread of new malware through malicious links, theft of data from the affected users’ accounts, and even the spread of false or misleading messages between groups and counted of the affected user himself.
Para Check Point Research:
If these permissions are granted, the malware has everything it needs to start distributing its malicious payloads and responding to incoming WhatsApp messages with auto-generated responses. Theoretically, through these auto-generated responses, a hacker can steal data, cause business disruptions in work-related chat groups, and even extortion by sending sensitive data to all users’ contacts.
The firm itself has already notified Google of this, which proceeded to its rapid withdrawal, finding that the malicious application FlixOnline had been downloaded approximately 500 times over two months.
More information: Blog de Check Point Research