FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.[1]

ID: S1103
Platforms: Android
Version: 1.0
Created: 26 January 2024
Last Modified: 19 March 2024

Techniques Used

Domain ID Name Use
Mobile T1517 Access Notifications

FlixOnline requests access to the NotificationListenerService, which can allow it to manipulate a device's notifications.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

FlixOnline may use the BOOT_COMPLETED action to trigger further scripts on boot.[1]

Mobile T1643 Generate Traffic from Victim

FlixOnline can automatically send replies to a user’s incoming WhatsApp messages.[1]

Mobile T1628 .001 Hide Artifacts: Suppress Application Icon

FlixOnline can hide its application icon.[1]

Mobile T1417 .002 Input Capture: GUI Input Capture

FlixOnline requests overlay permissions, which can allow it to create fake Login screens for other apps.[1]

Mobile T1409 Stored Application Data

FlixOnline can steal data from a user’s WhatsApp account(s).[1]