A fake Netflix app was registered in the Google Play app store and installed on more phones by using WhatsApp's auto-reply feature to spread the link.
The app, dubbed "FlixOnline," promised users that they could connect to Netflix streams in other countries where various movies and TV shows were available and that their Netflix membership was free for two months.
However, the app was actually just monitoring WhatsApp notifications and replying to WhatsApp messages, researchers from Israeli security firm Check Point said in a blog post and research paper today (April 7).
There is no indication that WhatsApp itself was hacked or that WhatsApp vulnerabilities were exploited. It is also not clear what the FlixOnline app did other than promote itself. [Check Point has stated that the FlixOnline app has the ability, at least in theory, to steal passwords and spread spam. The app hides its icon after installation.
If you have the FlixOnline app on your phone (it should appear in Settings > App Info), you should remove it immediately. As always, you can avoid infection by installing the best Android antivirus apps.
The FlixOnline app automatically replied to every WhatsApp message that reached the user's phone with a message promoting itself, along with a shortened link for the message recipient to tap. (The malware itself was not spread via WhatsApp, so it is not really a "worm"). The link is to a site called GetMyFlix-dot-com, which is currently offline.
Check Point notes that the shortened link could lead anywhere and could be an attempt to install more malware that could steal personal information or hijack WhatsApp accounts. However, there is no indication that this was anything other than an attempt to get the user to actually download the FlixOnline app.
This malware attack is very similar to a message we reported during the Coronavirus lockdown in Europe and North America in March 2020 regarding a fake service that offered two months of free Netflix access via WhatsApp (and text messages). Very similar to the scam that was spread. [Check Point noted that the FlixOnline app requested Overlay permissions, which could be used to create fake login screens and steal passwords, but other apps (to name one example, Facebook Messenger) also use it to display notifications on the screen; FlixOnline also uses the Notification permission to auto-reply to incoming messages.
According to the Check Point blog, "In theory, such auto-replies could allow hackers to steal data, disrupt business in work-related chat groups, and even blackmail users by sending sensitive data to all their contacts."
We do not know if the FlixOnline app actually did this. It is highly possible that it merely displayed ads to infected users. According to Check Point, despite WhatsApp's aggressive promotional campaign, the FlixOnline app was installed only about 500 times.
The app no longer exists in the Google Play store, but it never should have. Restricting app downloads to Google Play is one of Android's core defenses, and malicious apps in the store undermine the entire system.
Perhaps because of the small number of users, there were not enough complaints about this app for the Google Play store administrators to notice.
WhatsApp links to the domain GetMyFlix[.] com was registered in March 2020 by someone claiming to be from Andaman and Nicobar Islands, India, according to a WHOIS search.
The Internet Archive's Wayback Machine has several "captures" of this website from 2008 to 2014, apparently encouraging people to "borrow" rental DVDs from neighbors.
The FlixOnline Google Play page screenshot by Check Point claims to have been developed by a person named "Jillian Sanchez."
Comments