A newly discovered, Android malware software has been found to disseminate itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign. This is stated by ESET security researcher Lukas Stefanko, who published a short analysis of the malware’s mechanisms.
The infected link to the fake Huawei Mobile app, redirects users to a replica Google Play Store website. Once installed, the wormable app prompts users to grant notification access, once this has been given, the app is then able to carry out the wormable attack.
Specifically, it leverages WhatApp’s quick reply feature, this feature is used to respond to incoming messages directly from the notifications in order to send out a reply to a received message automatically.
The app also requests obtrusive access to run in the background as well as to draw over other apps, meaning the app can overlay any other application running on the device with its own window that can be used to steal credentials and additional sensitive information.
The functionality is to trick users into falling for an adware or subscription scam.
Furthermore, in its current version, the malware code is capable of sending automatic replies only to WhatsApp contacts a feature that could be potentially extended in a future update to other messaging apps that support Android’s quick reply functionality.
While the message is sent only once per hour to the same contact, the contents of the message and the link to the app are fetched from a remote server, raising the possibility that the malware could be used to distribute other malicious websites and apps.
There is no clear mechanism in regard to how this malware finds its way to the initial set of directly infected victims, the wormable malware has the potential to expand from a few devices to many others incredibly quickly.
The development of this malware further pushes the idea that there are new potential cyber threats created and lurking. This shows the value and the need to stick to trusted sources when downloading third-party apps, verifying if an application has been created by a genuine developer and scrutinize app permissions before installation. But the fact the campaign cleverly banks on the trust associated with WhatsApp contacts implies even these countermeasures may not be enough.
Many organisations are now unofficially using WhatsApp groups for communication with the pandemic pushing them to find new ways to communicate with their teams. This increases the risk of organisations data being accessed even where the target may be personal devices. Threat intelligence teams and security teams need to be aware of what technology is being used in order to advise employees of new threats.
This is another example of how threat actors have adapted their attack methods during the pandemic, as they observe how users have changed the way they use technology. We reviewed a number of these risks in our Covid-19 series.