Multi-Device Licenses (Volume Discounts)

Change Region

English Dansk Deutsch Español Français Italiano Nederlands Polski Português Svenska Türkçe हिन्दी 日本語 汉语 漢語
FlixOnline Malware

FlixOnline Malware

By Mezo in Uncategorized
Translate To:
English

A fake application promising free Netflix was caught delivering a malware threat named FlixOnline. The weaponized applications had managed to slip by Google's safeguards, and, for two months, was available for download from the official Play store. During that time over 500 users were infected with the FlixOnline malware threat, researchers found. The goal is to direct users towards a specially crafted fake Netflix website that scrapes every piece of information entered into it. The hackers were mainly after the victim's login credentials and credit/debit card details.

The application lured users in with promises of free Netflix - '2 Months of Netflix Premium Free Anywhere in the World for 60 days.' When installed, however, the harmful payload initiated a rather novel technique that allowed it to hijack the connection to the user's WhatsApp client. In practice, FlixOnline intercepted any incoming notifications by requesting a Notification listener permission. This allows the threat to access all notifications about received messages and take designated actions such as 'dismiss' or ' reply' automatically. The malware took full advantage of this permission.

Self-Propagation by Hijacking WhatsApp Notifications

FlixOnline would employ a function called OnNotificationPosted to check for the package name of the application that creates any given notification. If that application is WhatsApp, the malware will cancel the notification to hide it from the user and then proceed to read its title and content. The final step is to send an automated reply using a payload received from the Command-and-Control server. In most cases, the outgoing WhatsApp replies created in this manner were used to further spread the FlixOnline malware. One observed automated message created by the threat is:

'2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [LINK].'

In addition to Notification Listener, the malware threat also asks for Overlay and Battery Optimization Ignore permissions. An overlay is often exploited by data-collecting malware threats to generate new windows, such as fake log-in screens, on top of the legitimate applications started by the user with the goal of collecting account credentials and other sensitive details. The Battery Optimization Ignore permission, as its name suggests, ensures that the FlixOnline malware will remain operational even when the infected Android device goes into idle mode.

After being notified about the FlixOnline fake application, Google promptly took it down from the Play Store.

Loading...