Android users should watch out for new wormable malware that spreads through WhatsApp and lures the prospective victims into downloading an app from a website masquerading as Google Play. ESET malware researcher Lukas Stefanko looked under the hood of this Android nasty.

“This malware spreads via the victim's WhatsApp, automatically replying to any WhatsApp message notification with a link to a fake and malicious Huawei Mobile app,” said Stefanko. The malware, which was first reported by Twitter user @ReBensk, appears to be mainly intended to generate fraudulent advertising revenue for its operators.

In order to install the malicious app, users are prompted to allow the installation of apps from places other than the official Google Play store, thus removing a key – and enabled-by-default – security precaution on Android devices.

Once the installation process is completed, the app goes on to request a number of permissions, including Notification Access, which in combination with Android’s Direct Reply function is used to achieve wormability.

“Combining these two features, the malware can effectively respond with a custom message to any received WhatsApp notification message,” said Stefanko. The malware then runs in the background until it fetches a response from the server while waiting for a WhatsApp notification message that is then used to distribute the malicious link to the victim’s contacts.

The malicious app also requests other permissions, including to draw over other apps, which allows it to overlay over any other applications running on the device, and to ignore battery optimization, which enables it to run in the background and prevents the system from killing it off even if it starts draining the device’s power and resources.

WhatsApp Pink: Watch out for this fake update
Scam impersonates WhatsApp, offers ‘free internet’

“The worm spreads via messages to WhatsApp contacts only when the last received message by the victim was sent more than an hour ago,” Stefanko explained, adding that he believes that this is done so as not to raise suspicion among the victim’s contacts, since receiving a link as a response to every message might cause alarm.

Currently, the app seems mainly to be used in an adware or subscription scam campaign, although it could be used to do worse. “This malware could possibly distribute more dangerous threats since the message text and link to the malicious app are received from the attacker’s server. It could simply distribute banking trojans, ransomware, or spyware,” said Stefanko.

To protect yourself, the best course of action would be to avoid clicking on any suspicious links, only download apps from Google Play, and use a reputable security solution.