Fake Netflix App with Malware Can Hack Victim’s Device

La Habra, United States – August 2, 2016: Macro closeup image of Netflix app icon among other icons on an iphone smartphone device.

In recent years, the number of mobile device users has increased considerably. However, this has also resulted in the increase of malicious actors seeking to exploit vulnerabilities in mobile device usage.

Internet security researchers from ThreatLabZ have uncovered a false Netflix app that is capable of compromising smartphones. This malware primarily affects Android devices.

This development is especially worrying since Netflix is among the world’s most popular apps, with more than 44 million users in over 40 countries.

As such, the potential for malware infection and spread is incredibly high. The fake Netflix app is a tweaked version of the SpyNote Remote Access Trojan (RAT).

This type of malware is capable of several threatening functions. It enables the activation of a device’s microphone allowing for eavesdropping on user conversations, execution of commands on a device, recording of screen captures, viewing of messages and contact information, as well as file copying from a device to Command and Control centers.

It is important to note that the earlier version of the SpyNote RAT malware being employed in this case was leaked in underground hacking forums in 2016.

This followed the availability of the specific malware builder on the same platforms. Internet security experts at the time speculated that the malware would be used for distributed campaigns – it seems that this speculation was well-founded.The surface workings of the malware campaign are relatively straightforward.

Once an Android user download and clicks on the fake Netflix app, it immediately disappears from the panel into the background.This tricks the user into believing that the app has been removed or uninstalled.

The fake app’s icon is nearly identical to the genuine Netflix app icon. The user is left unaware that the malware is operating behind the scenes to facilitate its range of attacks.

Researchers have determined that the malware utilizes three key aspects of the Android operating system; Services, Broadcast Receivers, and Activities components.

They discovered a combination of various codes found in the malware that enables it to execute the attacks from the Command center.

SpyNote RAT is able to capture screen activities and record audio through the Android Media Projection Callback function, which is available on devices running Android version 5.0 and later (Lollipop).

The malware also steals SMS messages and contacts, where they are written in a local array and sent to a Command and Control center. SpyNote RAT malware is also capable of uninstalling apps on Android devices.

Cyber-criminals may use this function to uninstall any antiviruses on the devices, thus rendering them vulnerable to secondary malware attacks. This also ensures that the malware remains on the compromised devices unless manually removed.

SpyNote RAT was developed to function solely over Wi-Fi and is capable of several other notable functions.

It can enable and activate affected devices’ cameras and also gather data regarding their exact location – all of these functions clearly indicate that the spying capabilities of this malware are endless.

While the aforementioned SpyNote RAT builder is not yet available in the public domain, cyber threat researchers state that there are more than 120 versions of the malware; the leaked SpyNote RAT builder was used to develop these equally dangerous variants.


While the dangers posed by SpyNote RAT are quite worrying, prevention of its spread is quite simple since it relies on weakness on the users’ end.

For the aforementioned functions of the malware to be affected, a user has to grant the malware several permissions.

This means that the best solution is user education on the importance and aspects of internet security.

The first step is installing apps downloaded or purchased only from the official Google Play Store.

Acquiring apps from third-party or unknown sources always put smartphone users at risk of malware infection. In Android devices, this feature is turned off by default; smartphone users should ensure it stays that way at all times.

The latest Android versions have malware protection features such as SafetyNet and Verify Apps.

They allow devices to reject third party applications regardless of the permission status.

To ensure maximum protection, users should also ensure that their Android versions are regularly updated.

However, some malicious apps can find their way into legitimate sources like Google Play Store.

One way to detect the malicious app is by verifying the name of the developer. The fake Netflix app will bear a developer name that does not match the genuine one. It is also good practice to check the user reviews.

To get rid of this malware, users must delete all the files associated with the app and the app itself from the file manager menus.

Afterwards, investment in effective anti-malware software from industry leading vendors is strongly advised.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.