S1103 FlixOnline
FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.1
| Item | Value |
|---|---|
| ID | S1103 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 January 2024 |
| Last Modified | 19 March 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1517 | Access Notifications | FlixOnline requests access to the NotificationListenerService, which can allow it to manipulate a device’s notifications.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | FlixOnline may use the BOOT_COMPLETED action to trigger further scripts on boot.1 |
| mobile | T1643 | Generate Traffic from Victim | FlixOnline can automatically send replies to a user’s incoming WhatsApp messages.1 |
| mobile | T1628 | Hide Artifacts | - |
| mobile | T1628.001 | Suppress Application Icon | FlixOnline can hide its application icon.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | FlixOnline requests overlay permissions, which can allow it to create fake Login screens for other apps.1 |
| mobile | T1409 | Stored Application Data | FlixOnline can steal data from a user’s WhatsApp account(s).1 |