A new variant of Android malware has been discovered luring users with the promise of free Netflix subscriptions. The malware, dubbed FlixOnline, disguises itself as a legitimate Netflix application.

What happened?

The fraudulent app lures victims with a promise of two months of premium Netflix subscription for free due to the pandemic. However, in reality, it is the malware-laden app spying and monitoring WhatsApp users.
  • The Check Point Research team has discovered this wormable mobile malware in the Google Play Store. After installation, the app asks for overlay permissions, along with Battery Optimization Ignore which stops a mobile device from automatically terminating the software to save power.
  • The malware-laden app can steal WhatsApp conversations data, spread false information, and auto-respond to incoming messages with malicious content through 1 messaging service.
  • Auto-responses to WhatsApp messages include a message promoting two months of free Netflix with a link. The link redirects the victim to a fake Netflix website that tries to obtain credit card details and credentials.

Moreover, FlixOnline requests notification permissions that give the malware access to notifications linked to WhatsApp communication, along with the ability to dismiss or reply to messages.

Additional Insights

Along with FlixOnline, there is other malware on the threat landscape disguising as utility apps to fool users.
  • A week ago, spyware was found pretending to be System Update, which could record audio, take photos, and access WhatsApp messages, among others.
  • Last month, researchers discovered a Clast82 dropper spreading via malicious apps on the Google Play store.


The prevalence of self-spreading wormable Android malware, such as FlixOnline, underscores the need for users to be extremely careful while opening links and downloading attachments received via WhatsApp. In addition, experts recommend avoiding messages from unknown sources.

Cyware Publisher