ESET security researcher Lukas Stefanko reported a new malware for Android devices automatically spreading via WhatsApp messages. The main purpose of malware is to trick users into adware or subscription scams.

"The malware spreads through the victim's WhatsApp by automatically replies to any received WhatsApp messages with a link to malicious Huawei Mobile app," Stefanko said.

The link to the fake Huawei Mobile app redirects users to a lookalike Google Play Store website. Once installed on a device, a malicious application prompts access to notifications. In particular, he is interested in the WhatsApp Quick Reply feature, which is used to respond to incoming messages directly from the notifications.

Besides requesting permissions to read notifications, the app also requests permissions to run in the background as well as to draw over other apps - overlay any other app running on the device with its own window that can be used to steal credentials.

In its current version, the malicious code is capable of sending automatic replies only to WhatsApp contacts of the victim's, but in future versions, it may be possible to send replies in other applications that support the quick replies feature in Android.

While the message is sent only once per hour to the same contact, the message content and the link to the application are fetched from a remote server, which means that malware could be used to distribute other malicious sites and applications.

According to the researcher, it was not possible to establish how the initial infection occurs. It should be noted, however, that worm malware can expand from a few devices to many others incredibly quickly via SMS, email, social media messages and more.

Source: securitylab.ru