So-called pirating apps have been around for years—and they have only gained popularity since covid-19 put us all indefinitely on the couch, phone in hand, awaiting a reason (that never comes) to stop streaming.
Well, not all pirating apps have your content-viewing interests in mind. Enter “FlixOnline.” Until recently, this app sat in Google’s Play Store, promising users the opportunity to gain free mobile access to Netflix from anywhere in the world, even if they didn’t have an account. Sounds too good to be true, right?
Yes, well, exactly.
FlixOnline, recently profiled by security firm Check Point Research, never actually let users binge Breaking Bad or whatever. Instead, the researchers say, it delivered a self-replicating worm onto their devices—the likes of which could potentially be used by hackers in phishing and data-theft operations.
According to researchers, the Flix wormable malware burrows into a phone by abusing its permissions, then uses a victim’s WhatsApp conversations to spread itself. As soon as you download it, Flix asks for access to a variety of your device’s controls. It then hijacks your WhatsApp and uses it to send spammy messages to people who message you. For instance, if your friend sends you, “Hey dude, whaddup,” Flix will secretly auto-reply for you, sending them a, uh, really subtle advertisement for its fake services:
“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE” [insert malicious link].
If your friend, lost in a confused fog—baffled by the fact that their pal of many years has transformed, overnight, into a robotic Netflix shill—happens to click on the link provided, they get directed to a website where they can download the app, and the malware replicates itself anew. Researchers say the site could easily serve as a way for hackers to steal a victim’s personal information. In truth, it’s hard to imagine most people being, let’s say, gullible enough to follow that last step, but then again, “123456" remains a popular password.
So, voila! A morality lesson about the ills of piracy, packed into a very, very stupid app—an app that does literally nothing except hijack your conversations with friends and loved ones to re-spawn its own daft, useless existence.
Of course, the access supplied by an app like this means a bad actor could definitely abuse it to do more than send annoying messages (they could steal your private information and thereby entrap you in an extortion scheme, for instance). Additionally, if the messages being sent to a victim’s contacts were modified to something other than a hacky Netflix ad, or additional malicious links were added to the hijacked WhatsApp messages, a person could have quite a mess on their hands. So, it’s not just an annoying app, but potentially dangerous, too.
Perhaps the worst thing here is that Flix sat in the Play Store for approximately two months, compromising about 500 devices, according to Check Point (the app has since been taken down). It’s another great example of how Google hasn’t always done an amazing job when it comes to weeding out bad apps being distributed on its platform.
“The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags,” said Aviran Hazum, manager of mobile intelligence at Check Point. He added that, while this specific malware campaign was halted, the same malware could be deployed again via a different fake app. So... be careful out there, my pirate friends. Remember: There’s no such thing as free content.