The Android app spreading the malware was downloaded from Google Play nearly 500 times over the course of two months, before it went offline.
The Android malware found by the researchers was of “wormable” nature
Photo Credit: Pixabay/ andrekheren
A new Android malware has been discovered that existed as an app on Google Play and is claimed to spread via WhatsApp conversations. Called FlixOnline, the app pretended to allow users to view global Netflix content. It was, however, designed to monitor the user's WhatsApp notifications and send automatic replies to their incoming messages with the content it receives from the hacker. Google pulled the app immediately from the Play store after the company was reached out to. However, it was downloaded hundreds of times before it got removed.
Researchers at threat intelligence firm Check Point Research discovered the FlixOnline app on Google Play. When the app is downloaded from the Play store and installed, the underlying malware starts a service that requests “Overlay,” “Battery Optimisation Ignore,” and “Notification” permissions, the researchers said in a press note.
The purpose of obtaining those permissions is believed to allow the malicious app to create new windows on top of other apps, stop the malware from being shut down by the device's battery optimisation routine, and gain access to all notifications.
Instead of enabling any legitimate service, the FlixOnline app monitors the user's WhatsApp notifications and sends an auto-reply message to all WhatsApp conversations that lures victims with free access to Netflix. The message also contains a link that could allow hackers to gain user information.
The “wormable” malware, which means that it can spread by itself, could spread further via malicious links and could even extort users by threatening to send sensitive WhatsApp data or conversations to all their contacts.
Check Point Research notified Google about the existence of the FlixOnline app and the details of its research. Google quickly removed the app from the Play store upon receiving the details. However, the researchers found that the app was downloaded nearly 500 times over the course of two months, before it went offline.
The researchers also believe that while the particular app in question was removed from Google Play after it was reported, the malware could return through another similar app in the future.
“The fact that the malware was able to be disguised so easily and ultimately bypass Play Store's protections raises some serious red flags. Although we stopped one campaign of the malware, the malware family is likely here to stay. The malware may return hidden in a different app,” said Aviran Hazum, Manager of Mobile Intelligence at Check Point, in a prepared quote.
The affected users are advised to remove the malicious app from their device and change their passwords.
It is important to note while the malware variant available through the FlixOnline app was designed to spread via WhatsApp, the instant messaging app doesn't include any particular loophole that allowed the circulation of malicious content. Instead, the researchers found that it was Google Play that wasn't able to restrict access to the app at first glance — despite using a mix of automated tools and preloaded protections including Play Protect.
What is the best phone under Rs. 15,000 in India right now? We discussed this on Orbital, the Gadgets 360 podcast. Later (starting at 27:54), we speak to OK Computer creators Neil Pagedar and Pooja Shetty. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.