![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig1-650x248.png\")
<\/p>\nAutoreply is a convenient feature through which users can send a custom message as an automatic reply for unanswered incoming email, SMS, WhatsApp messages, and more. There are many applications on Google Play Store which offers such functionality.<\/p>\n
We have recently noticed malicious applications which are abusing this particular functionality.<\/p>\n
<\/p>\n
<\/p>\n
Fig 1 highlights samples of messages used by attackers to lure users into installing malicious apps<\/a>. In many cases, these messages come from a trusted contact (who is already infected). As a result, users are likely to consider the message legitimate and follow the mentioned steps. In this case, the message asks users to open a web link and download an application. To lure users further, the website displays lucrative offers such as Free Netflix, watch Free IPL, New feature in WhatsApp. (Refer Fig.2)<\/p>\n <\/p>\n <\/p>\n We recently analyzed two applications that are spreading through this mechanism – \u201cWhatsApp Pink\u201d and \u201cOnline stream.\u201d<\/p>\n <\/p>\n Once installed, these applications ask for notification access. After getting the permission, the application hides its icon from the users.<\/p>\n <\/p>\n These applications maintain a list they target for auto-replies of apps such as Facebook, Instagram, WhatsApp, Twitter, Telegram, Skype, Viber, etc. Till now, we have seen two variants of lists (refer to Fig.5). These applications have another string array that has text messages with a link to download the applications. One of the message strings is selected at random at runtime.<\/p>\n <\/p>\n After getting notification access, whenever a new notification is received, the callback function onNotificationPosted gets called. In this method, the package name of the application is checked.<\/p>\n There is an additional check for Android notification direct reply action (The direct reply action, introduced in Android 7.0 (API level 24)), allowing users to enter text directly into the notification.<\/p>\n <\/p>\n In onNotificationPosted<\/em> by accessing this action, instead of user input, this malware populates an intent with its own text data using RemoteInput.addResultsToIntent <\/em>method.<\/p>\n <\/p>\n Same actor Behind these two variants:<\/strong><\/p>\n Quick Heal<\/a> has collected 6 samples of the WhatsApp Pink application and 4 samples of the Online stream application. All these applications are signed with the same certificate. That likely means that the same malware author (or authors) is behind these malicious applications.<\/p>\n <\/p>\n For now, these applications have functionalities of hiding icon, monitoring notifications, and autoreply. In future, they may develop a new variant and add more malicious functionality.<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig2-650x301.png\")
<\/p>\nFig.2 Application hosting site<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig3-650x102.png\")
<\/p>\nFig.3 Icons<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig4-361x390.jpeg\")
<\/p>\nFig.4 Asking Notification access<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig5-650x62.png\")
<\/p>\nFig.5 Target List<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig6-650x44.png\")
<\/p>\nFig. 6 onNotificationPosted function callback<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig7-650x190.png\")
<\/p>\nFig.7 Sending the message<\/strong><\/h6>\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/04\/Fig8-650x110.png\")
<\/p>\nFig. 8 Certificate Information<\/strong><\/h6>\n