Google Play has been making efforts to remove malicious apps from its platform, but hackers seem to be one step ahead at all times. A recent example is that of an app called FlixOnline that masqueraded as a way to access Netflix for free, but actually has other motives. The malicious behavior of the app has been exposed by security firm Check Point Research, who revealed that the app never did what it promised. Rather, it is loaded with a self-replicating worm, capable of spreading to other devices for phishing attacks.
The modus operandi was to monitor the user’s WhatsApp messages and send automatic responses to install the application (FlixOnline). The idea could have been to launch a widespread data theft attack or even worse when the time was right.
Thanks to Check Point Research, the app was immediately removed from the Google Play Store after being reported. It has more than 500 downloads in the course of two months of existence.
Once the application was downloaded to the user’s device, it requested permissions including “Notification”, “Ignore battery optimization” and also access to overlay. In this way, the application can access and read all notifications, in particular WhatsApp.
This could have had serious repercussions such as extortion attempts by threatening the user with sending sensitive content to contacts. The application contained malicious links that upon clicking gained access to user information, and it also had the ability to send automatic messages to WhatsApp contacts to attract more victims through a remote command and control server.
According to Aviran Hazum, manager of mobile intelligence at Check Point Investigation, this incident raises serious doubts about the security measures of Google Play Store. Aviran said the threat is not over as the malicious app could return to the store disguised as another app with failsafe mechanisms to bypass Google’s security check.