Android malware worm auto-spreads via WhatsApp messages
Fraudulent mobile applications are on the rise. One recent example is malware hidden on the Google Play marketplace in a fake application and capable of spreading itself via Whatsapp instant messages. If the victim grants the correct permissions, the malware automatically retrieves a crafted payload from its C2 servers and disseminates it on WhatsApp messages.
This article covers how this kind of malware works, the techniques used by malicious actors and how to prevent it.
Become a certified reverse engineer!
WhatsApp malware worm overview
In general, mobile devices are not as secure as computers. The standard security protections used for workstations and servers are not in place for most mobile devices, so mobile devices may not be protected by firewalls, encryption, antivirus or endpoint detection and response.
However, these devices are often connected to cloud services, business emails and other applications that put companies at risk.
Within this context, the CheckPoint Research team discovered malware on the Google Play marketplace with the capability of spreading itself by using the victim's WhatsApp messages. When submitted into the official marketplace, the malicious application was not flagged as malware and may have been downloaded and installed by approximately 500 users.
Figure 1: Malicious application available on the official Google Play marketplace (source).
As observed in figure 2 below, this malicious application impersonates the legitimate application NetFlix, and it provides online media content such as movies and series for free. The application was allegedly developed by Jillian Sanchez, according to the name associated with the APK submission on Google Play.
Figure 2: Details about the malicious application "com.fab.wflixonline".
Digging into the FlixOnline malware details
This piece of malware automatically replies to messages that come from WhatsApp and then sends a payload received from its C2 server online.
"The application is actually designed to monitor the user's WhatsApp notifications, and to send automatic replies to the user's incoming messages using content that it receives from a remote C&C server," CheckPoint researchers said.
Some additional mandatory permissions are prompted when the victim downloads and installs the application. The permission "android.permission.INTERNET" is necessary to create online sockets with its C2 server to retrieve and send information from the infected device. The "RECEIVE_BOOT_COMPLETED" feature is enabled by default to start the app at boot, allow total control of the device and achieve persistence. Additionally, the "WAKE_LOCK" permission is essential to prevent the phone from sleeping. The full details extracted can be observed below.
Figure 3: Permissions requested by the malicious application during its execution.
Another interesting permission is "SYSTEM_ALERT_WINDOWS." It's responsible for creating overlay windows over other applications to steal information or bait users to click or execute something malicious. Some of the overlay windows are retrieved from a hosting service, as observed below.
Figure 4: Overlay windows presented by the malware in run-time.
After the permissions are set, the malware receives an initial payload from its C2 server that hides its icon to help prevent the deletion of the application. This routine is performed periodically by a function that retrieves information from the C2 server online.
Figure 5: Parser of the C2 server payload.
Interacting with the WhatsApp notifications
After this point, the malware is ready to distribute the payload via WhatsApp. During its execution, the callback OnNotificationPosted checks for the package name of the source app, and if the application name is WhatsApp, the "new" notification is processed.
Figure 6: The malware is finding WhatsApp notifications.
Then, the malware closes the notification to deceive the victim. The notification is hidden, and its details are obtained as presented in figure 7 (the title and content).
Figure 7: Route responsible for processing the notification.
In the next stage, the malware invokes the component responsible for inline replies and sends the message reply with the malicious payload obtained from its C2 server.
Figure 8: Block of code responsible for sending the reply on WhatsApp.
Become a certified reverse engineer!
Final thoughts on WhatsApp worm malware
Mobile wormable malware has been distributed in the wild with innovative and dangerous techniques for spreading and manipulating data or stealing users' secrets. These malicious pieces also take advantage of trusted applications, such as WhatsApp, installed on the target mobile devices to reach other users.
By using this modus operandi, threat actors can perform a range of malicious activities, including:
- Disseminate further malware via malicious URLs
- Steal data from user's legitimate applications (such as WhatsApp)
- Create fake or malicious messages and send them via legitimate applications
- Extort users by threatening to send sensitive data or malicious links to all their contacts or WhatsApp groups (the best target from the malicious perspective).
The best recommendations to keep your mobile devices protected are never installing or downloading suspicious or strange applications from unofficial marketplaces. Even though this specific app has been downloaded and installed from Google Play without detection from the Google side, it's always important to check the requested permissions and learn about them.
Sometimes the permissions are not aligned with the nature of the target application, and this detail should be taken into account every time. Let's take mobile threats seriously and protect our devices against threats of this line.
Sources
- Android malware worms via WhatsApp, CheckPoint Research Team
- Wormable Android app, TheHackerNews
- Exam Pass Guarantee
- Live expert instruction
- Hands-on labs
- CREA exam voucher
In this Series
- Android malware worm auto-spreads via WhatsApp messages
- How AsyncRAT is escaping security defenses
- Chrome extensions used to steal users' secrets
- Luna ransomware encrypts Windows, Linux and ESXi systems
- Bahamut Android malware and its new features
- LockBit 3.0 ransomware analysis
- AstraLocker releases the ransomware decryptors
- Analysis of Nokoyawa ransomware
- Goodwill ransomware group is propagating unusual demands to get the decryption key
- Dangerous IoT EnemyBot botnet is now attacking other targets
- Fileless malware uses event logger to hide malware
- Nerbian RAT Using COVID-19 templates
- Popular evasion techniques in the malware landscape
- Sunnyday ransomware analysis
- 9 online tools for malware analysis
- Blackguard malware analysis
- Behind Conti: Leaks reveal inner workings of ransomware group
- ZLoader: What it is, how it works and how to prevent it | Malware spotlight [2022 update]
- WhisperGate: A destructive malware to destroy Ukraine computer systems
- Electron Bot Malware is disseminated via Microsoft's Official Store and is capable of controlling social media apps
- SockDetour: the backdoor impacting U.S. defense contractors
- HermeticWiper malware used against Ukraine
- MyloBot 2022: A botnet that only sends extortion emails
- Mars Stealer malware analysis
- How to remove ransomware: Best free decryption tools and resources
- Purple Fox rootkit and how it has been disseminated in the wild
- Deadbolt ransomware: The real weapon against IoT devices
- Log4j - the remote code execution vulnerability that stopped the world
- Rook ransomware analysis
- Modus operandi of BlackByte ransomware
- Emotet malware returns
- Mekotio banker trojan returns with new TTP
- Android malware BrazKing returns
- Malware instrumentation with Frida
- Malware analysis arsenal: Top 15 tools
- Redline stealer malware: Full analysis
- A full analysis of the BlackMatter ransomware
- A full analysis of Horus Eyes RAT
- REvil ransomware: Lessons learned from a major supply chain attack
- Pingback malware: How it works and how to prevent it
- Malware analysis: Ragnarok ransomware
- Taidoor malware: what it is, how it works and how to prevent it | malware spotlight
- SUNBURST backdoor malware: What it is, how it works, and how to prevent it | Malware spotlight
- ZHtrap botnet: How it works and how to prevent it
- DearCry ransomware: How it works and how to prevent it
- How criminals are using Windows Background Intelligent Transfer Service
- How the Javali trojan weaponizes Avira antivirus
- HelloKitty: The ransomware affecting CD Projekt Red and Cyberpunk 2077
- DreamBus Botnet: An analysis
- Kobalos malware: A complex Linux threat
- What is Operation Dream Job by Lazarus?
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Malware analysis
Malware analysis
Malware analysis
Malware analysis