A new wormable Android Malware Spreads by auto-replying to WhatsApp messages | by Alfiya Shaikh

A new wormable Android Malware Spreads by auto-replying to WhatsApp messages

by Alfiya Shaikh


Check Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is capable of spreading itself via user’s WhatsApp messages. If the user downloads the fake application and provides appropriate permissions then the malware becomes operational. It replies to user’s WhatsApp messages automatically with a payload to download the same infected application.


Researchers found the malware hidden within an app on Google Play called ‘FlixOnline’. The app claims to allow users to access Netflix, Amazon Prime contents and watch all movies and series for free. Similarly an apk is found named “LiveStream” offering same and also performs similar actions i.e auto-replying WhatsApp messages with a payload.

“Live Stream App Watch All Movie, Series,Season In Ultra HD Quality On Your Mobile, Live IPL Cricket Matches and Much More. Now you dont need to pay netflix, Amazon Prime Just Download this Free Live Streaming App and enjoy. http://profilelist.xyz/?livestream” This is the message auto-generated by the apk.

By employing this technique, an invader could perform a wide range of malicious activities such as:

  • Spread further malware via malicious links.
  • Stealing data from user’s WhatsApp accounts and any other.
  • Extort users by threatening to send sensitive WhatsApp data or other blackmailing strategies
  • Spreading fake or malicious messages to users’ WhatsApp contacts and groups .

When the application is downloaded from the Play Store and installed, the malware starts a service that requests ‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these permissions is:

  • Overlay allows a malicious application to create new windows on top of other applications. This is usually requested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s credentials.
  • Ignore Battery Optimizations stops the malware from being shut down by the device’s battery optimization routine, even after it is idle for an extended period.
  • The most prominent permission is the Notification access, more specifically, the Notification Listener service. Once enabled, this permission provides the malware with access to all notifications related to messages sent to the device, and the ability to automatically perform designated actions such as “dismiss” and “reply” to messages received on the device.

Check Point Research responsibly notified Google about the malicious application and the details of its research, and Google quickly removed the application from the Play Store. Though the FlixOnline app is removed from Play Store, the LiveStream apk is still in action. I had personally witnessed two similar cases today itself.


If you have mistakenly installed the application, immediately uninstall it and factory reset your device.

Further Protection from such Threats:

  • One should install applications only from the official sites.
  • One should not click on links forwarded on social media such as offering gift vouchers, Friendship tester, etc.
  • Never grant permissions to any app which isn’t required. For example, applications such as Google Meet, zoom requires camera access, so you can grant camera access to these applications.
  • Never fall in such traps by visiting malicious websites and installing malicious apks.

Stay Safe, Stay Protected.

About the Author:

Alfiya Shaikh - DSC Technical Lead | Pythonista | Tech Enthusiast | Student at ANJUMAN-I-ISLAM'S KALSEKAR TECHNICAL CAMPUS, MUMBAI

The article originally published at: https://alfiyashaikh0777.medium.com/a-new-wormable-android-malware-spreads-by-auto-replying-to-whatsapp-messages-c1a8e0330669

April 19, 2021
Notify of
Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013