Cybercriminals deploy malware via WhatsApp to hack Android devices

A recent security report details the detection of a new malware variant for Android devices deployed automatically via instant messaging platforms, mainly WhatsApp.

According to Lukas Stefanko, author of the security report, the goal of the operators is to trick users into tricking users into installing adware on their systems or exposing them to unauthorized subscription scams: “The malware is deployed via services like WhatsApp, forcing the app to automatically respond to any message containing a link to a malicious version of Huawei Mobile”, the researcher mentions.

This link redirects users to a site that looks similar to the official Google Play Store where users are asked to download a malicious app that asks users for access to sending notifications, a critical factor in deploying a successful attack. This attack focuses on WhatsApp’s quick reply feature, used to respond to an incoming message directly from the notification bar. Below is an example of how the virus is deployed via messaging applications.

La imagen tiene un atributo ALT vacío; su nombre de archivo es whatsapp25012021.jpg

In addition to accessing system notifications, this malicious application also requests permission to run in the background and modify settings of other applications, which could lead to the theft of authentication credentials. Analyzed in an earlier version, it was found that the application code may send automatic responses to the victim’s WhatsApp contacts; however Stefanko believes that later versions of this malware will be able to send responses through other Android applications that have settings similar to those of WhatsApp.

Automatic replies are sent to the same contact once an hour, although the content of the message and malicious link are retrieved from a remote server; In other words, malware can be used to spread other websites and malicious applications. Stefanko also mentions that he found it impossible to determine exactly how the initial infection occurs, although he mentions that there are multiple possibilities: “It all starts with sending text messages, emails, social media posts, using chat groups, among other options.”

For more information on vulnerabilities, exploits, malware variants, cybersecurity risks and information security courses, feel free to access the International Cyber Security Institute (IICS) website.