Free Netflix? A tempting invitation. This is how cybercriminals tricked Android users through Whatsapp chains. The invitation offered 2 months of free Netflix subscription after installing an app. Thus, researchers from the security firm Check Point Research (CPR) warned about the scam. Although the app was removed from GooglePlay, it had more than 500 downloads.
In times of pandemic, streaming TV is an escape route. This is why millions of people subscribe to platforms like Netflix. To ensure their entertainment and pass the time. This scenario is an easy target for cybercriminals. Even more so if the information arrives via Whatsapp. Where users are characterized by replicating unverified information. This is how the app called Flix Online became an easy prey. In the PlayStore the app offered “unlimited global entertainment”. The offer seemed credible as it showed screenshots of the original Netflix app.
Despite that, it was a scam. The app actually contained malware that started a service. That when users installed the app, it requested “Overlay”, “Ignore battery optimization” and “Notification” permissions. In this way it monitored WhatsApp notifications. It then launched automatic replies to incoming messages from the affected user. And so it used the content it received from a remote command and control server.
How the malware works
The permissions requested by the app were mentioned above. Specifically, the overlay permission allows it to “overlay” on the windows of other applications. And thus steal login credentials and other sensitive system information. On the other hand, the ability to ignore battery optimization prevents Android from being able to shut down malware when power saving is enabled. Finally, access to read and write notifications grants control over notifications. Among them that of WhatsApp chats.
One of the autoresponders identified by CPR read, “2 months of Netflix Premium free at no cost FOR QUARANTINE (CROWN VIRUS)* Get 2 months of Netflix Premium free anywhere in the world for 60 days. Get it now HERE https: // bit [.] Ly / 3bDmzUw”. Upon clicking the “get it here” link the malware directed victims to a fake Netflix website. There it again tried to trick users into entering one of their credit card details. With the aim of stealing them. Also, as the landing page could be modified by the attackers, the messages could lead to other fraud campaigns or loads of new Android malware.
To reassure the community, Check Point informed Google of the Android malware. For its part, the company has already removed the app from the Play Store. But, the threat does not end there. Because according to the security firm, the threat could reappear. This is why prevention and verification of the origin of what we receive through social networks is crucial. Especially if it involves downloading files or programs.