S1103: FlixOnline
FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.[1]
Analyst context for executives and security teams
FlixOnline matters because it shows how Android malware can turn a personal or managed mobile device into a propagation point through WhatsApp auto-replies. For leaders, the risk is not just one infected phone; it is loss of trust in messaging channels, potential exposure of notification or application data, and slower incident containment when mobile devices sit outside normal SOC visibility.
Executive priority
Prioritize this as a mobile security readiness issue for organizations that allow Android devices to access business communications or identity workflows. Executives should ask whether managed and BYOD Android devices are inventoried, whether risky app permissions and notification access are visible, and whether incident response can contain a mobile app that hides its icon or generates traffic from the victim device. Because ATT&CK provides no detection text for this object, coverage should be proven with local telemetry rather than assumed.
Technical view
Validate Android-focused monitoring against the related behaviors: Stored Application Data, GUI Input Capture, Access Notifications, Broadcast Receivers, Suppress Application Icon, and Generate Traffic from Victim. SOC and IR teams should confirm they can identify suspicious Android apps, permission grants, notification access, launcher-icon suppression, broadcast receiver persistence patterns, and unusual outbound messaging or web traffic. Relationship context and the official description specifically support attention to WhatsApp auto-reply propagation, but ATT&CK does not provide tactics or detection logic for this malware entry.
Likely telemetry
- Android MDM/EMM inventory of installed packages and application metadata
- App permission grants, especially notification access and other high-risk mobile permissions where available
- Mobile EDR or device logs showing broadcast receiver registration or event-triggered execution
- Launcher/application inventory showing installed apps that are not visible to the user
- Network, proxy, DNS, or mobile security telemetry for unusual outbound traffic from Android devices
Detection direction
- Do not rely on the ATT&CK object for ready-made analytics; official detection is not provided.
- Build validation around behavior clusters: unexpected messaging activity, notification access, hidden app presence, and event-triggered execution.
- Tune carefully for legitimate Android apps that use notifications, broadcast receivers, or background traffic.
- Check blind spots on BYOD devices, unmanaged Android endpoints, and environments where WhatsApp activity is not logged or visible to security teams.
- Use relationship context to test whether mobile monitoring can surface T1409, T1417.002, T1517, T1624.001, T1628.001, and T1643-style activity.
Mitigation priorities
- Maintain Android device inventory and define which devices may access business messaging, email, or identity workflows.
- Use managed app governance or allowlisting on corporate Android devices where feasible.
- Limit installation from untrusted sources and review high-risk permission grants, especially notification access.
- Prepare mobile IR playbooks for isolating devices, removing suspicious apps, preserving evidence, and validating whether credentials or sensitive notifications may have been exposed.
- Educate users to report unexpected WhatsApp replies or apps that appear to disappear after installation.
Analyst notes and limits
The supplied ATT&CK object identifies FlixOnline as Android malware first detected in early 2021 and believed to target WhatsApp users, primarily spreading through automatic replies to incoming WhatsApp messages. The strongest defensive value comes from validating mobile visibility and response processes across the related techniques rather than from malware-specific signatures.
ATT&CK provides no official detection guidance, no aliases, no tactics, and only Android as the supported platform for this malware object. Any conclusion about exposure, active exploitation, detection coverage, or business impact requires local device inventory, app telemetry, messaging context, and incident evidence.
FlixOnline
FlixOnline is an Android malware, first detected in early 2021, believed to target users of WhatsApp. FlixOnline primarily spreads via automatic replies to a device’s incoming WhatsApp messages.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | FlixOnline may use the `BOOT_COMPLETED` action to trigger further scripts on boot.Citationcheckpoint_flixonline_0421 |
| Mobile | T1409 | Stored Application Data | FlixOnline can steal data from a user’s WhatsApp account(s).Citationcheckpoint_flixonline_0421 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | FlixOnline requests overlay permissions, which can allow it to create fake Login screens for other apps.Citationcheckpoint_flixonline_0421 |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | FlixOnline can hide its application icon.Citationcheckpoint_flixonline_0421 |
| Mobile | T1643 | Generate Traffic from Victim | FlixOnline can automatically send replies to a user’s incoming WhatsApp messages.Citationcheckpoint_flixonline_0421 |
| Mobile | T1517 | Access Notifications | FlixOnline requests access to the `NotificationListenerService`, which can allow it to manipulate a device's notifications.Citationcheckpoint_flixonline_0421 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ff99d48f5e12… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
checkpoint_flixonline_0421
Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.
Open source URL -
[2]
mitre-attack S1103Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.