NewsOnline Security

MasterFred Banker – Netflix, Twitter, and Instagram Users Beware

When it comes to streaming Netflix or browsing new feeds on Twitter and Instagram, things are no longer chill and fun, courtesy of Masterfred.

The new Android banker has surfaced recently and it features fake login overlays for the services above as well as overlays for Polish and Turkish banks.

Discovered back in June 2021 and resurfaced about a week ago, this banking virus is proving to be a huge threat. So, what is MasterFred and how is it implemented? Make sure you give this article a thorough read.

The New Malware – Netflix & Chill No More

A while ago, South Koreans fell victim to PhoneSpy, which harvests data from their Android device and can easily take full control of it.

Now, new malware is on the rise targeting Android devices yet again, as they’re more susceptible to such attacks.

Apparently, hackers have implemented the MasterFred malware within fake Android apps that look legit enough to resemble Netflix, Instagram, and Twitter.

Once downloaded, the users are prompted to sign in (The same as with any of the real services). Also, they need to enter their credit card details.

The malware was first discovered in June by malware analyst Alberto Segura. Now, in November, Segura shared a second sample online one week ago.

When he ran one of the apps through VirusTotal, nothing seemed out of the ordinary. In fact, it was pretty clean.

MasterFred Malware VirusTotal

According to Avast researchers, the built-in Android Accessibility service provides the APIs to display the malicious overlays.

Apparently, such practices are not new to the malware scene. Several previous attacks included the use of the Accessibility service. This allows the attackers to navigate the Android UI to install payloads, download, and install other malware.

To shed more light on MasterFred, take a look below at what Alberto Segura also posted:

Avast Threat Labs thanked Alberto Segura for his discovery. They also added the following statement on Twitter:

“By utilizing the Application Accessibility toolkit installed on Android by default, the attacker is able to use the application to implement the Overlay attack to trick the user into entering credit card information for fake account breaches on both Netflix and Twitter.”

Now that everything is in place, the attackers start to act. The malware dark web gateway (aka Tor2Web proxy) to send the stolen information to Tor network servers under its operator’s control.

According to Avast, at least one of the malicious apps bundling the MasterFred banker was recently available in Google’s Play Store.

The rest were more likely available on third-party stores as a delivery channel for this new malware.

MasterFred – Submit Your Info, Get Robbed

The MasterFred malware preys on victims that don’t know their way around. The attackers perfectly crafted the malicious apps to trick even Google.

Avast reports that the existing app on Play Store has been removed. But that doesn’t mean that the threat is over.

Always make sure that the applications you’re downloading are legit. Otherwise, you’ll fall for such a predicament and lose a lot in the process.

Jonathan Beesly

Jonathan is the main author at He regularly publishes posts that aim to introduce better cyber-security practices to the masses.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Articles

Back to top button