Shulou(Shulou.com)06/01 Report--

This article shows you how to analyze the Android malware that automatically replies to messages in WhatsApp. The content is concise and easy to understand, and it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Overview of 0x01 Foundation

We recently found malware hidden in bogus applications on Google Play that can be spread through users' WhatsApp messages. If a user downloads a bogus application and inadvertently grants the malware appropriate permissions, the malware can automatically reply to the victim's WhatsApp message using the payload received from the command and control server. This unique approach may enable attackers to conduct phishing attacks, spread false information, or steal credentials and data from the user's WhatsApp account, and so on.

With the development of mobile threat situation, attackers have been seeking to develop new technologies to develop and successfully distribute malware. At this particular event, our researchers found a novel and innovative malicious threat in the Google Play App Store that spreads through mobile users' WhatsApp conversations and can also send further malicious content by automatically replying to incoming WhatsApp messages.

The researchers found that the malware was hidden in an application called "FlixOnline" on Google Play. The app is a bogus service that claims to allow users to view Netflix content from around the world on their phones. However, the actual purpose of the application is to monitor the user's WhatsApp notifications and send automatic replies to the user's incoming messages using content received from the remote command and control (ClearC) server, rather than allowing mobile users to view Netflix content.

The malware sends the following response to the victim to induce a free Netflix service:

"offer free Netflix Premium for 2 months, and get free Netflix Premium for 2 months anywhere in the world. Get [https:// bit.] ly / 3bDmzUw here immediately."

With this technique, attackers can perform a variety of malicious activities:

Spread more malware through malicious links

Steal data from a user's WhatsApp account

Propagate false or malicious messages to the user's WhatsApp contacts and groups

Blackmail users by threatening to send sensitive WhatsApp data or conversations to all their contacts

Figure 1 FlixOnline application on Google Play

Technical analysis of 0x02

After downloading and installing the application from the Play Store, the malware starts a service that requests "override window", "Battery Optimization ignore" and "get Notification Information" permissions. The purpose of obtaining these permissions is to:

Overriding windows allows malicious applications to create new windows on top of other applications. Malware often requires this to create fake "login" screens for other applications in order to steal the victim's credentials.

Ignoring battery optimization can prevent malware from being turned off by the device's battery optimization routine, even if it has been idle for a long time.

The most significant permission is the Notification access right and more specifically the Notification listener service. When enabled, this permission enables malware to access all notifications related to messages sent to the device and to automatically perform specified actions, such as "close" and "reply" to messages received on the device.

Figure 2 FlixOnline permission request

When permissions are granted, the malware displays the login page it received from the ClearC server and immediately hides its icon, so the malware cannot be easily removed. This is done through services that contact ClearC on a regular basis and update the malware configuration accordingly. The service can achieve these goals in a variety of ways. For example, the service can be triggered by installing the application and by registering alerts in the BOOT_COMPLETED operation, which is called after the device completes the startup process.

Figure 3 and figure 4 Service Registration, BOOT_COMPLETE

The response from ClearC contains the configuration with the following fields:

Figure 5. Communication and configuration parsing of Cellular C

Once this is done, the malware has everything it needs to distribute the payload. Through the OnNotificationPosted callback, the malware checks the package name of the original application, and if the application is WhatsApp, it processes the notification.

Figure 5 check WhatsApp notifications

First, the malware cancels the notification to hide it from the user and reads the title and content of the received notification. Next, it searches for the component responsible for inline replies, which is used to send replies using the payload received from the Cellular C server.

Figure 6 Notification processing

Figure 7 search for inline reply components

Figure 8 send a reply

0x03 analysis and summary

We responsibly informed Google,Google about the malicious application and its research details and quickly removed the application from the Play store. In two months, the "FlixOnline" application was downloaded about 500 times.

This worm-infecting Android malware has innovative and dangerous new technologies that can spread on their own and manipulate or steal data from trusted applications such as WhatsApp. It is important to note that even if the user appears to be from a trusted contact or messaging group, users should be wary of download links or attachments received through WhatsApp or other messaging applications. If the user is infected, you should remove the application from the device and then change its password.

The above content is how to analyze the Android malware that automatically replies to messages in WhatsApp. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.