The Lookout Blog

Security Alert: Fake Netflix App Aids Phishing

A new Android phishing scheme posing as an unofficial Netflix app has been discovered outside of the official Android Market. The app asks for users’ Netflix usernames and passwords and sends them to a phishing server. The app was not posted to the Android Market, so the risk for most users is quite low.

The Threat

When the app is launched, the user is presented with a login dialog requesting an email address and password.  Instead of submitting those credentials to Netflix, the app collects the credentials and sends them to a remote server. This server now appears to be offline and unavailable. The app then presents an error screen to the user indicating incompatibility with the device.

While it is possible that the developers of this app sought access to Netflix accounts, we find it unlikely that that was the actual goal of the phishing scheme. Given the tendency of people to use the same password across many different accounts, we speculate that the authors sought to gather email addresses along with passwords that could likely be used to gain access into other accounts like email, Facebook, banking accounts and more.

Who Is Affected

The app seems to take advantage of the fact that the official Netflix Android application was not previously available for all Android devices. This app targets users who, due to being on a device that was unsupported by the official app, were looking for an alternative to watch Netflix movies. The official Netflix application has been available for some time, but it was only downloadable via the official Android Market by a restricted group of devices and platform versions, which Netflix said was due to wanting to provide the best possible experience for users.

With rumors circulating that the app actually does work on a broader range of platforms, users have extracted binaries and shared copies of the official application on Internet file sharing sites such as Mediafire.

How to Stay Safe

All Lookout users are already protected against this threat.  If you have not downloaded an unofficial Netflix app outside of the Android Market, you are probably safe. If you believe you may have inadvertently downloaded this phishing app, you should change your Netflix password as well as any other passwords that shared that same password.

As always, we urge you to pay close attention to the apps you are downloading. Remember to:

• Only download applications from trusted sources, such as reputable application markets. Remember to look at the developer name, reviews, and star ratings.
• Always check the permissions an app requests. Use common sense to ensure that the permissions match the features the app provides.
• Be aware that unusual behavior on your phone or unexplained charges on your phone bill could be a sign that your phone is infected.
• Download a mobile security app for your phone that scans every app you download. Lookout users are automatically protected against this phishing app.
• Don’t share passwords across different logins.  Create different passwords for all your online logins and avoid simplistic passwords, such as the last four digits of your phone number, or public information (birthday).  As a general rule of thumb, if the passcode information may be available on Facebook—don’t use it for your code.