Android malware worm auto-spreads via WhatsApp messages

Fraudulent mobile applications are on the rise. One recent example is malware hidden on the Google Play marketplace in a fake application and capable of spreading itself via Whatsapp instant messages. If the victim grants the correct permissions, the malware automatically retrieves a crafted payload from its C2 servers and disseminates it on WhatsApp messages.

This article covers how this kind of malware works, the techniques used by malicious actors and how to prevent it.

WhatsApp malware worm overview

In general, mobile devices are not as secure as computers. The standard security protections used for workstations and servers are not in place for most mobile devices, so mobile devices may not be protected by firewalls, encryption, antivirus or endpoint detection and response.

However, these devices are often connected to cloud services, business emails and other applications that put companies at risk.

Within this context, the CheckPoint Research team discovered malware on the Google Play marketplace with the capability of spreading itself by using the victim’s WhatsApp messages. When submitted into the official marketplace, the malicious application was not flagged as malware and may have been downloaded and installed by approximately 500 users.

Figure 1: Malicious application available on

Read More: