Comments by: Aviran Hazum, Manager of Mobile Intelligence at Check Point Software Technologies
The malware’s technique is fairly new and innovative. The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags. Although we stopped one campaign of the malware, the malware family is likely here to stay. The malware may return hidden in a different app.
Play Store’s protections can only go so far. Phone users need a mobile security solution. Luckily, we detected the malware early, and we quickly disclosed it to Google – who also acted quickly. Users should be wary of download links or attachments that they receive via WhatsApp or other messaging apps, even when they appear to come from trusted contacts or messaging groups. If you think you’re a victim, I would immediately remove the application from my device, and proceed to change all my passwords.
Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group
The malicious FlixOnline app illuminates the formidable challenges of the app ecosystem.
First, users trust the app store to keep them safe from malware. Unfortunately, keeping malicious content out of an app store is an endlessly complex game of whack-a-mole. One way app store operators can protects users is by analysing apps with software composition analysis, to understand the third-party components that were used in making an app. This helps identify out of date components with known vulnerabilities.
Because users trust the app store, they don’t scrutinise app permissions very carefully. In the case of FlixOnline, these permissions are a red flag: why would a video app need overlay permission? A recent research report, Peril in a Pandemic: The State of Mobile Application Security, found that many apps ask for permissions they don’t need. Whether the cause is ignorance or malice, nobody knows, but it is clear that there are holes in the app store safeguards and users’ understanding.
Finally, the FlixOnline incident reiterates a truth as old as humanity: nothing is free. Any app that appears to be free is going to be supported by advertising, data collection, legitimate payments, or outright theft. Consumers should remain skeptical and make sure they understand the price they are paying for “free” apps.