Sneaky App Masquerades as Netflix in Latest Android Malware Scare
A newly discovered malicious app in an Android user forum sneaks in by assuming the name of a trusted brand: Netflix. Once downloaded, the app will take the user's log-in and password info, then report that the app isn't compatible with the user's phone. One's Netflix credentials may not be particularly sensitive information, but it's possible the malware's authors have larger plans.
Oct 13, 2011 11:59 AM PT
A fake Netflix app for Android that steals users' data has popped up in an Android user forum, according to Symantec. [*Correction - Oct. 13, 2011] The security vendor has named it "Android.Fakeneflic."
The app consists of a splash screen followed by a log-in screen, which captures the victim's information and posts it to an outside server.
Here's where things get interesting: The server is apparently offline currently, so any data captured can't be sent to it.
Further, unlike other malware apps that autoload, this app must be manually downloaded. When users try to cancel the download, the app tries to uninstall itself.
None of this follows the typical MO of a malware app -- but perhaps there's method in that apparent madness.
Crazy Like a Fox
The server's probably been shut down, either because the malware authors are waiting for a better time to launch an attack or because they've already completed their attack and obtained what they need, Liam O Murchu, manager of operations at Symantec Security Response, told TechNewsWorld.
Alternatively, this could be merely a test run of the malware.
"Android.Fakeneflic certainly provides an example of what kind of scheme attackers could run with a fake mobile banking app, where instead of gathering somewhat innocuous log-in credentials, the thief could gather banking credentials or other sensitive financial information instead," O Murchu said.
Or perhaps the ISP nailed the attack to the ground.
"It's common for multiple malware packages to connect back to the same server," Wayne Huang, cofounder and CEO of Armorize Technologies, told TechNewsWorld.
"The server might've been discovered through the analysis of another malware package and therefore taken offline by the service provider," Huang added.
How the Fake Netflix App Works
The fake Netflix app is available in an Android user forum, O Murchu stated.
When users download it, the fake app requests multiple permissions just like a real app would, although Symantec said this is just a cover to add to the illusion that the app's genuine.
The victim will first see a splash screen, then a log-in screen into which victims enter their data, which will be sent to the server.
Once victims click on the "Sign in" button, a screen comes up telling them the app's incompatible with their current hardware and recommending that they install another version of the app to resolve the issue.
Users have to manually install the app. If they try to cancel the installation, the app tries to uninstall itself. Trying to prevent the uninstall process returns the victim to the screen with the hardware incompatibility message.
Sneaky Is as Sneaky Does
The fake Netflix app is perhaps more sophisticated than most of the malicious apps that have popped up in the past. Take the cancel button and automatic uninstall functionality, for example.
These come into play when victims are prompted to download an updated version of the app -- but that's after they have already entered their Netflix credentials on the log-in screen, O Murchu said.
"At that point, the malware has already gathered the targeted information," O Murchu explained. "It's possible the malware author intended for this to serve as a means for cleaning up the malware's tracks."
It appears the app only gathers a user's email address and Netflix password. That may not be particuarly valuable data per se, but some Netflix users may use the same log-in/password combo to log into other sites, not to mention their own email accounts.
Defending Against Fake Apps
Users should get a mobile security solution for protection, Symantec's O Murchu said.
Users should only download apps from marketplaces hosted by well-known legitimate vendors, and should pay attention to not only the app's name, but also the name of the app creator.
"If an app purports to be the legitimate version but lists a different author, there should be a definite red flag," O Murchu said.
Finally, check the access permissions requested for installation, O Murchu remarked. If they seem excessive, don't install the app.
Although incidents like this in the past have inspired critics to call on Google to tighten up its stance on Android development, the company has held fast to its open approach.
The fake Netflix app "showcases what may be a critical flaw in Google's open strategy," Rob Enderle, principal analyst at the Enderle Group, told TechNewsWorld.
"Netflix was an obvious choice because it wasn't available on Android at all until recently and still isn't available on many phones," Enderle added. "It is also one of the most desirable apps."
*ECT News Network editor's note - Oct. 13, 2011: In our original publication of this article, it is stated that the malicious app appears in Google's Android Market. In fact, according to Symantec, the app was spotted in an Android user forum.