{ "id": "31e09569-7f10-4828-bc83-0cf1c8ccbc5d", "created_at": "2026-04-06T00:11:54.63194Z", "updated_at": "2026-04-10T03:30:33.553645Z", "deleted_at": null, "sha1_hash": "3ddec1051f0665e592253ef9d2dbdab507368a6f", "title": "New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 73014, "plain_text": "New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp - Check Point Research\r\nBy etal\r\nPublished: 2021-04-07 · Archived: 2026-04-05 13:31:49 UTC\r\nResearch by: Aviran Hazum, Bodgan Melnykov \u0026 Israel Wenik\r\nOverview\r\nCheck Point Research (CPR) recently discovered malware on Google Play hidden in a fake application that is\r\ncapable of spreading itself via users’ WhatsApp messages. If the user downloaded the fake application and\r\nunwittingly granted the malware the appropriate permissions, the malware is capable of automatically replying to\r\nvictim’s’ incoming WhatsApp messages with a payload received from a command-and-control (C\u0026C) server. This\r\nunique method could have enabled threat actors to distribute phishing attacks, spread false information or steal\r\ncredentials and data from users’ WhatsApp accounts, and more.\r\nGeneral\r\nAs the mobile threat landscape evolves, threat actors are always seeking to develop new techniques to evolve and\r\nsuccessfully distribute malware. In this specific campaign, Check Point’s researchers discovered a new and\r\ninnovative malicious threat on the Google Play app store which spreads itself via mobile users’ WhatsApp\r\nconversations, and can also send further malicious content via automated replies to incoming WhatsApp\r\nmessages.\r\nResearchers found the malware hidden within an app on Google Play called ’FlixOnline.’” The app is a fake\r\nservice that claims to allow users to view Netflix content from all around the world on their mobiles. However,\r\ninstead of allowing the mobile user to view Netflix content, the application is actually designed to monitor the\r\nuser’s WhatsApp notifications, and to send automatic replies to the user’s incoming messages using content that it\r\nreceives from a remote command and control (C\u0026C) server.\r\nThe malware sends the following response to its victims, luring them with the offer of a free Netflix service:\r\n“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2\r\nMonths of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE https://bit[.]ly/3bDmzUw.”\r\nUtilizing this technique, a threat actor could perform a wide range of malicious activities:\r\nSpread further malware via malicious links\r\nStealing data from users’ WhatsApp accounts\r\nSpreading fake or malicious messages to users’ WhatsApp contacts and groups (for example, work-related\r\ngroups)\r\nExtort users by threatening to send sensitive WhatsApp data or conversations to all of their contacts\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 1 of 8\n\nFigure 1 – FlixOnline application on Google Play\r\nTechnical Analysis\r\nWhen the application is downloaded from the Play Store and installed, the malware starts a service that requests\r\n‘Overlay’, ‘Battery Optimization Ignore’, and ‘Notification’ permissions. The purpose behind obtaining these\r\npermissions is:\r\nOverlay allows a malicious application to create new windows on top of other applications. This is usually\r\nrequested by malware to create a fake “Login” screen for other apps, with the aim of stealing victim’s\r\ncredentials.\r\nIgnore Battery Optimizations stops the malware from being shut down by the device’s battery optimization\r\nroutine, even after it is idle for an extended period.\r\nThe most prominent permission is the Notification access, more specifically, the Notification Listener\r\nservice. Once enabled, this permission provides the malware with access to all notifications related to\r\nmessages sent to the device, and the ability to automatically perform designated actions such as “dismiss”\r\nand “reply” to messages received on the device.\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 2 of 8\n\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 3 of 8\n\nFigure 2 – FlixOnline Permissions Request\r\nAfter the permissions are granted, the malware displays a landing page it receives from the C\u0026C server and\r\nimmediately hides its icon so the malware can’t be easily removed. This is done by a service that periodically\r\ncontacts the C\u0026C and updates the malware’s configuration accordingly.\r\nThe service can achieve these goals by using multiple methods. For instance, the service can be triggered by the\r\ninstallation of the application and by an Alarm registered I the BOOT_COMPLETED action, which is called after\r\nthe device has completed the boot process.\r\nFigures 3 \u0026 4 – Service registration, BOOT_COMPLETE\r\nThe response from the C\u0026C contains a configuration with the following field:\r\nField Purpose\r\nlanding_page A URL to display to the victim after permission granting.\r\nmessage_inbox The message to send as a reply to all incoming messages.\r\nmessage_limit\r\nUnused, potentially could indicate as an “upper limit” for the amount of messages to send\r\nout.\r\ndelay Unused.\r\nurl Unused.\r\ndelay_browser Delay before showing popup with specific URL.\r\nenable_browser C\u0026C check flag.\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 4 of 8\n\nenable_webview Indicates which app to use to open the URL.\r\nwebview_url The URL for the WebView popup activity.\r\nbrowser_url URL for the browser popup.\r\nFigure 5 – Contact C\u0026C and configuration parsing\r\nOnce this is complete, the malware has everything needed to distribute the payload. With the\r\nOnNotificationPosted callback, the malware checks for the package name of the originated application, and if that\r\napplication is WhatsApp, it will process the notification.\r\nFigure 5 – Check for WhatsApp notifications\r\nFirst, the malware cancels the notification to hide it from the user and reads the title and content of the notification\r\nreceived. Next, it searches for the component that is responsible for inline replies, which is used to send out the\r\nreply using the payload received from the C\u0026C server.\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 5 of 8\n\nFigure 6 – Notification processing\r\nFigure 7 – Searching for inline-reply component\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 6 of 8\n\nFigure 8 – Sending out the reply\r\nResponsible disclosure\r\nCheck Point Research responsibly notified Google about the malicious application and the details of its research,\r\nand Google quickly removed the application from the Play Store. Over the course of 2 months, the “FlixOnline”\r\napp was downloaded approximately 500 times.\r\nConclusion\r\nThis wormable Android malware features innovative and dangerous new techniques for spreading itself, and for\r\nmanipulating or stealing data from trusted applications such as WhatsApp.  It highlights that users should be wary\r\nof download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear\r\nto come from trusted contacts or messaging groups.\r\nIf a user was infected, they should remove the application from their device, and change their passwords.\r\nStay protected from mobile threats\r\nCheck Point Harmony Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest\r\nrange of capabilities to help you secure your mobile workforce.\r\nHarmony Mobile provides protection for all mobile vectors of attack, including the download of malicious\r\napplications and applications with malware embedded in them.\r\nLearn more.\r\nAppendix 1 – IOCs\r\nFlixOnline – 1d097436927f85b1ab9bf69913071abd0845bfcf1afa186112e91e1ca22e32df\r\nC\u0026C – netflixwatch[.]site\r\nPackage Name – com.fab.wflixonline\r\nCertificate – BEC2C0448558729C1EDF4E45AB76B6A3EE6E42B7\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 7 of 8\n\nSource: https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nhttps://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/" ], "report_names": [ "new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434314, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ddec1051f0665e592253ef9d2dbdab507368a6f.pdf", "text": "https://archive.orkl.eu/3ddec1051f0665e592253ef9d2dbdab507368a6f.txt", "img": "https://archive.orkl.eu/3ddec1051f0665e592253ef9d2dbdab507368a6f.jpg" } }