The wormable malware spread from Android to Android by sending messages offering free Netflix Premium for 60 days.

According to a Check Point Research analysis released on Wednesday the malware masqueraded as an app called “FlixOnline” which advertised via WhatsApp messages promising “2 Months of Netflix Premium Free Anywhere in the World for 60 days.” But once installed the malware sets about stealing data and credentials.

However instead of allowing the mobile user to view Netflix content the application is actually designed to monitor users WhatsApp notifications sending automatic replies to a users incoming messages using content that it receives from a remote server

After the permissions are granted the malware displays a landing page it receives from the command and control server (C2) and it deletes its icon off the home screen. From there it periodically pings the C2 for configuration updates. “The service can achieve these goals by using multiple methods” according to the analysis.