Newly discovered Android malicious software has been found to propagate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign.
“This malicious software spreads through the victim’s WhatsApp by automatically replying to any WhatsApp message notification received with a link to [a] malicious app Huawei Mobile, “ESET researcher Lukas Stefanko He said.
The link to the fake Huawei Mobile app, when clicked, redirects users to a similar Google Play Store site.
Once installed, the worm app prompts victims to allow notification access to it, which is then abused to carry out the worm attack.
In particular, it leverages the WhatApp quick reply feature – used to respond to incoming messages directly from the notifications – to send a reply to an automatically received message.
Aside from asking for permission to read notifications, the app also requires intrusive access to run in the background as well as pull over other apps, which means the app can overlay any other program running on the device with its own window that can be used to steal references and additional sensitive information.
The function, according to Stefanko, is to deceive users into falling for an adware scam or subscription.
Furthermore, in its current version, the malicious software code is capable of sending automatic replies only to WhatsApp connections – a feature that could possibly be extended in a future update to other messaging apps that support Android’s fast-solution functionality.
Although the message is only sent once to the same contact, the contents of the message and the link to the app are accessed from a remote server, raising the possibility that the software could be used malicious to distribute websites and other malicious apps.
“I don’t remember reading and analyzing any Android malware that has such a function to spread itself through whatsapp messages,” Stefanko told The Hacker News.
Stefanko said the exact mechanism behind how he finds his way to the initial set of directly infected victims is unclear; however, it should be noted that malicious expandable software can expand from a few devices to many others incredibly fast.
“I’d say it could be through SMS, mail, social media, channels / chat groups etc,” Stefanko said.
If anything, the development again underlines the need to stick to trusted sources to download third-party apps, check whether an app is indeed built by a legitimate developer, and carefully scrutinize app permissions before installing it .
But the fact that the campaign is cleverly banking on the trust attached to WhatsApp links suggests that even these countermeasures may not be enough.