The wormable malware spread from Android to Android by sending messages offering free Netflix Premium for 60 days.

Malware disguised as a Netflix app, lurking on the Google Play store, spread through WhatsApp messages, researchers have discovered.

According to a Check Point Research analysis released on Wednesday, the malware masqueraded as an app called “FlixOnline,” which advertised via WhatsApp messages promising “2 Months of Netflix Premium Free Anywhere in the World for 60 days.” But once installed, the malware sets about stealing data and credentials.

The malware was designed to listen for incoming WhatsApp messages and automatically respond to any that the victims receive, with the content of the response crafted by the adversaries. The responses attempted to lure others with the offer of a free Netflix service, and contained links to a fake Netflix site that phished for credentials and credit card information, researchers said.

“The app turned out to be a fake service that claims to allow users to view Netflix content from around the world on their mobiles,” according to the analysis. “However, instead of allowing the mobile user to view Netflix content, the application is actually designed to monitor a user’s WhatsApp notifications, sending automatic replies to a user’s incoming messages using content that it receives from a remote server.”

The malware was also able to self-propagate, sending messages to users’ WhatsApp contacts and groups with links to the fake app. To that end, the automated messages read, “2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE [Bitly link].”

Over the course of two months that the app was live on Google Play, the malware racked up 500 victims, according to Check Point. The firm alerted Google to the malware, which took the app down. However, “the malware family is likely here to stay and may return hidden in a different app,” researchers warned.

“The malware’s technique is fairly new and innovative,” Aviran Hazum, manager of Mobile Intelligence at Check Point, said in the analysis. “The technique here is to hijack the connection to WhatsApp by capturing notifications, along with the ability to take predefined actions, like ‘dismiss’ or ‘reply’ via the Notification Manager. The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags.”