ESET security researcher Lukas Stefanko reported a new malware: he said that a new worm for Android automatically spreads through WhatsApp messages.
The main purpose of malware is to trick users into adware or subscription scams.
The link to the fake Huawei Mobile app redirects users to a site that is very similar to the Google Play Store. Once installed on a device, a malicious application requests access to notifications, which it uses to carry out an attack. In particular, it is interested in the WhatsApp Quick Reply feature, which is used to reply to incoming messages directly from notifications.
In addition to reading notifications, the app also requests permissions to run in the background and draw on top of other apps – overlapping any other app running on the device with its own window, which can be used to steal credentials.
Although the message is sent to the same contact only once an hour, the message content and the link to the application are retrieved from a remote server, which means that malware can be used to spread other malicious sites and applications.
According to the researcher, it was not possible to establish how the initial infection occurs. It should be noted, however, that worm malware can spread incredibly quickly from multiple devices to many others via SMS, email, social media posts, channels/chat groups, etc.
It should also be noted that more than 30 million WhatsArp users have recently abandoned the messenger since the beginning of the year. This was reported by the British edition of The Guardian.
The ongoing massive leave of users from WhatsApp is associated with a poorly prepared update of the terms of service on this platform, journalists say. Many saw in them the upcoming cancellation of the confidentiality of correspondence, which is associated with the provision of data by the messenger to its parent company Facebook, whose management lost trust of the users.
As you know, initially, changes in the policy for providing WhatsApp services were supposed to take effect on February 8. However, due to the beginning of a rapid decline in the number of users, their introduction was postponed to 15 May.