New wormable Android malware poses as Netflix to hijack WhatsApp sessions

Users are lured in with the promise of a free premium subscription.
Written by Charlie Osborne, Contributing Writer

A new variant of Android malware has been discovered in an app on Google Play that entices users by promising free Netflix subscriptions. 

On Wednesday, Check Point Research (CPR) said the "wormable" mobile malware was discovered in the Google Play Store, the official repository for Android apps. The malicious software, dubbed "FlixOnline," disguises itself as a legitimate Netflix application and appears to focus on targeting the WhatsApp messaging application. 


The ongoing COVID-19 pandemic has forced many of us to stay at home for long durations, and with shops closed, bars shut, and limited trips outside permitted, we have turned to streaming services to pass the time. By the end of 2020, paid Netflix subscriber numbers smashed through the 200 million mark -- likely spurred on due to COVID-19 -- and malware operators have decided to jump on this trend. 

The fraudulent app promised global "unlimited entertainment" and two months of a premium Netflix subscription for free due to the pandemic. 

Once downloaded, however, the malware 'listens in' on WhatsApp conversations and auto-responds to incoming messages with malicious content.

Upon installation, the app asks for overlay permissions -- a common ingredient in the theft of service credentials -- as well as Battery Optimization Ignore, which stops a device from automatically closing down software to save power. In addition, FlixOnline requests notification permissions that give the malware access to notifications related to WhatsApp communication, as well as the ability to 'dismiss' or 'reply' to messages. 

Auto-responses to WhatsApp messages include the following, sent to contacts of the victim:

"2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https:// bit[.]ly/3bDmzUw."

According to the researchers, the malware can propagate further via malicious links, steal WhatsApp conversation data, and has the ability to spread false information or harmful content through the messaging service when installed on Android devices. 

The malicious link used in this campaign sends victims to a fake Netflix website that attempts to obtain a user's credit card information and credentials. However, as this message is fetched from a command-and-control (C2) server, other campaigns could link to different phishing websites or malware payloads. 

Approximately 500 victims were claimed by FlixOnline before detection, over a period of roughly two months, and it is likely the malware will appear again. 

CPR informed Google of its findings and the app has now been removed from the Play Store. WhatsApp was also made aware of the campaign as a courtesy but as there is no exploitable vulnerability or issue that the malware uses to propagate through the messaging app, no action was required. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards