As people are looking for entertainment online in the comfort of their homes, cybercriminals are also finding ways to take advantage of such demands for their nefarious activities. One simple way? Deploying malware on the Google Play Store, posed as a fake copy of a popular application waiting to be installed by unsuspecting users.
This is what Check Point Research (CPR) recently discovered, in the form of malware hidden within an app called ’FlixOnline’, which advertised itself as the streaming service Netflix.
In their findings, CPR said that when a user downloads the fake application, it will then ask for permissions which it will use to deploy its payload. These permissions include ‘overlay’, allowing a malicious application to draw on top of others to show a fake login screen; ‘battery optimisation ignore’, stopping the malware from being shut down by the device’s battery optimisation routine and ‘notification’, permitting the malware to send messages using messaging apps that are installed on the user’s phone.
According to CPR, the malware can also access all notifications and messages sent to the device and has the ability to automatically perform designated actions such as “dismiss” or “reply” to messages received on the device.
With such capabilities, the malware can be used to send messages to lure a user’s contacts with an enticing offer to claim subsequent victims, for instance:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now by clicking HERE”.
This makes the malware also ‘wormable’, meaning it can spread from one Android device to another after the user clicks on the particular link. Other potential threats of the malware include the ability to:
Spread further malware via malicious links.
Steal data from users’ WhatsApp accounts.
Spread fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related groups).
Extort users by threatening to send sensitive WhatsApp data or conversations to all of their contacts.
For Aviran Hazum, Manager of Mobile Intelligence at Check Point Software Technologies, the techniques used by the malware are fairly new and innovative. “The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags”, he said.
Aviran also mentioned that although experts stopped one malware campaign, the malware family is likely here to stay and that it may return hidden in a different app.
To avoid this from happening, Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, said that users should be vigilant as always. He advised that users be wary of the permissions an app is asking for, as it can be a potential threat.
“Finally, the FlixOnline incident reiterates a truth as old as humanity: nothing is free. Any app that appears to be free is going to be supported by advertising, data collection, legitimate payments, or outright theft. Consumers should remain sceptical and make sure they understand the price they are paying for ‘free’ apps”, Jonathan added.
Just last month, the invite-only audio-chat app Clubhouse also fell victim to malware posing as its copy.