An Android malware is spreading through WhatsApp. It propagates itself through WhatsApp messages to other contacts in order to expand what appears to be an adware campaign.
“This malware spreads via victim’s WhatsApp by automatically replying to any received WhatsApp message notification with a link to [a] malicious Huawei Mobile app,” ESET researcher Lukas Stefanko said.
The link to the fake Huawei Mobile app, upon clicking, redirects users to a lookalike Google Play Store website.
Once installed, the wormable app prompts victims to grant it notification access, which is then abused to carry out the wormable attack.
Specifically, it leverages WhatApp’s quick reply feature — which is used to respond to incoming messages directly from the notifications — to send out a reply to a received message automatically.
Furthermore, in its current version, the malware code is capable of sending automatic replies only to WhatsApp contacts — a feature that could be potentially extended in a future update to other messaging apps that support Android’s quick reply functionality.
While the message is sent only once per hour to the same contact, the contents of the message and the link to the app are fetched from a remote server, raising the possibility that the malware could be used to distribute other malicious websites and apps.
“I don’t remember reading and analyzing any Android malware having such functionality to spread itself via whatsapp messages,” Stefanko told The Hacker News.
Stefanko said the exact mechanism behind how it finds its way to the initial set of directly infected victims is not clear; however, it’s to be noted the wormable malware can potentially expand from a few devices to many others incredibly quickly.
“I would say it could be via SMS, mail, social media, channels/chat groups etc,” Stefanko told The Hacker News.
If anything, the development once again underscores the need to stick to trusted sources to download third-party apps, verify if an app is indeed built by a genuine developer, and carefully scrutinize app permissions before installation.
But the fact the campaign cleverly banks on the trust associated with WhatsApp contacts implies even these countermeasures may not be enough.
Leave a Reply