Cloud security provider Zscaler has uncovered a fake Netflix app which, once downloaded, enables cyber criminals to take control over the device.
The app, which was available through a third party app store, was actually a “well crafted” piece of spyware called SpyNote RAT (remote access Trojan), capable of performing functions such as executing commands on the device and activating the microphone to listen to conversations.
It could also take screen captures, view contacts, read SMS messages and copy files from the device to a Command & Control (C&C) centre.
Once installed, the fake app displays the same logo as the legitimate Netflix app from the Google Play Store. However, when it is clicked for the first time the icon actually disappears from the home screen, tricking the user into thinking that it has been deleted.
Using the Services, Broadcast Receivers, and Activities components of the Android platform, SpyNote RAT keeps itself up and running, enabling it to continuously spy on its unsuspecting victims.
“Command execution can create havoc for the victim if the malware developer decides to execute commands in the victim’s device,” writes Shivang Desai on the Zscaler blog. “Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.”
“Uninstalling apps is another function favoured by developers of Android spyware and malware. They tend to target any antivirus protections on the device and uninstall them, which increases the possibility of their malware persisting on the device.”
Desai notes that this particular malware targeting the hugely popular video-streaming app appeared to be “more robust” than most, as it was designed to only function over Wi-Fi.
He also warns that SpyNote RAT is “gaining popularity in the hacking community” and has been found targeting several other popular apps including WhatsApp, YouTube Video Downloader, Instagram and Facebook.
This is not the first time Netflix has been targeted by cyber criminals, as a phishing scam was recently discovered to be targeting credit card details and other personal information of users.