Research by: Aviran Hazum, Bodgan Melnykov & Israel Wenik Overview Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is capable of spreading itself via users’ WhatsApp messages. If the user downloaded the fake application and unwittingly granted the malware the appropriate permissions, the malware is capable of automatically replying to victim’s incoming WhatsApp messages with a payload received from a command-and-control (C&C) server. This unique method could have enabled threat actors to distribute phishing attacks, spread false information or steal credentials and data from users’ WhatsApp accounts, and more. General As the mobile threat landscape evolves, threat actors are always seeking to develop new techniques to evolve and successfully distribute malware. In this specific campaign, Check Point’s researchers discovered a new and innovative malicious threat on the Google Play app store which spreads itself via mobile users’ WhatsApp conversations, and can also send further malicious content via automated replies to incoming WhatsApp messages. Researchers found the malware hidden within an app on Google Play called ’FlixOnline.’ The app is a fake service that claims to allow users to view Netflix content from all around the world on their mobiles. However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the user’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it receives from a remote command and control (C&C) server. The malware sends the following response to its victims, luring them with the offer of a free Netflix service: “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.” Utilizing this technique, a threat actor could perform a wide range of malicious activities: Spread further malware via malicious links Stealing data from users’ WhatsApp accounts Spreading fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups) Extort users by threatening to send sensitive WhatsApp data or conversations to all of their contacts Technical Analysis When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these permissions is: Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing the victim’s credentials. Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period. The most prominent permission is the Notification access, more specifically, the Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device. After the permissions are granted, the malware displays a landing page it receives from the C&C server and immediately hides its icon so the malware can’t be easily removed. This is done by a service that periodically contacts the C&C and updates the malware’s configuration accordingly. The service can achieve these goals by using multiple methods. For instance, the service can be triggered by the installation of the application and by an Alarm registered in the BOOT_COMPLETED action, which is called after the device has completed the boot process. The response from the C&C contains a configuration with the following field: Field Purpose landing_page A URL to display to the victim after permission granting. message_inbox The message to send as a reply to all incoming messages. message_limit Unused, potentially could indicate as an “upper limit” for the amount of messages to send out. delay Unused. url Unused. delay_browser Delay before showing popup with specific URL. enable_browser C&C check flag. enable_webview Indicates which app to use to open the URL. webview_url The URL for the WebView popup activity. browser_url URL for the browser popup. Once this is complete, the malware has everything needed to distribute the payload. With the OnNotificationPosted callback, the malware checks for the package name of the originated application, and if that application is WhatsApp, it will process the notification. Responsible disclosure Check Point Research responsibly notified Google about the malicious application and the details of its research, and Google quickly removed the application from the Play Store. Over the course of 2 months, the “FlixOnline” app was downloaded approximately 500 times. Conclusion This wormable Android malware features innovative and dangerous new techniques for spreading itself, and for manipulating or stealing data from trusted applications such as WhatsApp. It highlights that users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. If a user was infected, they should remove the application from their device, and change their passwords. Stay protected from mobile threats Check Point Harmony is the Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce. Mobile market-leading Harmony Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them. Appendix 1 – IOCs FlixOnline – 1d097436927f85b1ab9bf69913071abd0845bfcf1afa186112e91e1ca22e32df C&C – netflixwatch[.]site Package Name – com.fab.wflixonline Certificate – BEC2C0448558729C1EDF4E45AB76B6A3EE6E42B7

Harmony

Check Point

Google

Netflix

Routine

CloudGuard added AWS GWLB: What that Means for AWS Marketplace Offerings

Understanding the Solarwinds Sunburst Breach and the Severity of Supply Chain Attacks

Visit us

Too Long; Didn't Read

Automate Security Across All Your Cloud Environments

How a Wormable Android Malware Used to Spread Using WhatsApp Auto-Replies

How a Wormable Android Malware Used to Spread Using WhatsApp Auto-Replies

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Java bits: 0xFF and 0xFFL

10 Things You Didn't Know You Could Do With Google Keep

10 Things to check on Android code reviews

10 Mistakes In Mobile App Development That Make You Look Dumb

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Java bits: 0xFF and 0xFFL

10 Things You Didn't Know You Could Do With Google Keep

10 Things to check on Android code reviews

10 Mistakes In Mobile App Development That Make You Look Dumb

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps