Security firm Zscaler Inc. has found a fake Netflix app that installs a remote-access malware onto the devices of those who install it.
The app is a skinned version of the SpyNote RAT that can monitor a victim’s communications, including the ability to activate both a microphone and any built-in camera on an infected device.
In addition, SpyNote also uninstalls antivirus software, copies files from the device to the hacker’s server, views contacts, reads SMS messages and last, but certainly not least, can gain remote control of the infected device.
“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” Zscaler’s Shivang Desai explained in a blog post. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”
SpyNote RAT differs from similar forms of trojan viruses by using the unusual method of tapping into the Services, Broadcast Receivers, and Activities components of the Android platform, meaning that it is able to run operations in the background without the need for user interaction.
“Command execution can create havoc for [the] victim if the malware developer decides to execute commands in the victim’s device,” Desai added. “Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.”
Desai advises hat the best way to avoid becoming infected from fake apps that include SpyNote RAT is to avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android.