WhatsApp Won’t Limit Functionality if You Don’t Accept Its Controversial New Privacy Policy

Illustration for article titled WhatsApp Won't Limit Functionality if You Don't Accept Its Controversial New Privacy Policy

Photo: Lionel Bonaventure / AFP (Getty Images)

WhatsApp initially threatened to revoke core functions for users that refused to accept its controversial new privacy policy, only to walk back the severity of those consequences earlier this month amid international backlash, and now, it’s doing away with them altogether (for the time being, at least).

Advertisement

In a reversal, the company clarified on Friday that it won’t restrict any functionality even if you haven’t accepted the app’s updated privacy policy yet, TNW reports.

“Given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update,” a WhatsApp spokesperson said in a statement to the Verge. They added that this is the plan moving forward indefinitely.

In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or lose functionality if they don’t accept the new policies. That being said, WhatsApp will still send these users reminders to update “from time to time,” WhatsApp told the Verge. On its support page, WhatsApp claims that the majority of users who have seen the update have accepted.

Initially, the deadline to accept was planned for February, but WhatsApp pushed that date back to May 15 after coming under fire from lawmakers, consumer rights advocates, and its own users, among other critics. At issue is how this updated policy lets WhatsApp handle users’ personal data, raising concerns that it would begin forking that information over to its parent company, Facebook. (Admittedly, WhatsApp has already been doing that with users’ phone numbers since an update to its privacy policy in 2016, as the Verge notes.) WhatsApp’s bungled rollout and scary-sounding ultimatums fueled the outrage further.

The company aims to debunk these privacy concerns on its FAQ page, in which it stresses that this new policy primarily affects business messaging and Facebook will not have access to users’ location data or message logs. WhatsApp head Will Cathcart also posted a Twitter thread going into more detail.

Nonetheless, rival messaging platforms Telegram and Signal have seen a surge in downloads since WhatsApp announced its deadline for adopting its new privacy policy. Several federal authorities have pushed for WhatsApp to retract its new privacy policy or limited its rollout to users, arguing that the update violates local data protection regulations.

Advertisement

Backpedaling, WhatsApp Says It Won’t Lobotomize Accounts That Refuse Privacy Policy Update

Illustration for article titled Backpedaling, WhatsApp Says It Won't Lobotomize Accounts That Refuse Privacy Policy Update

Photo: Lionel Bonaventure / AFP (Getty Images)

WhatsApp initially threatened to revoke core functions for users that refused to accept its controversial new privacy policy, only to walk back the severity of those consequences earlier this month amid international backlash, and now, it’s doing away with them altogether (for the time being, at least).

Advertisement

In a reversal, the company clarified on Friday that it won’t restrict any functionality even if you haven’t accepted the app’s updated privacy policy yet, TNW reports.

“Given recent discussions with various authorities and privacy experts, we want to make clear that we will not limit the functionality of how WhatsApp works for those who have not yet accepted the update,” a WhatsApp spokesperson said in a statement to the Verge. They added that this is the plan moving forward indefinitely.

In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or lose functionality if they don’t accept the new policies. That being said, WhatsApp will still send these users reminders to update “from time to time,” WhatsApp told the Verge. On its support page, WhatsApp claims that the majority of users who have seen the update have accepted.

Initially, the deadline to accept was planned for February, but WhatsApp pushed that date back to May 15 after coming under fire from lawmakers, consumer rights advocates, and its own users, among other critics. At issue is how this updated policy lets WhatsApp handle users’ personal data, raising concerns that it would begin forking that information over to its parent company, Facebook. (Admittedly, WhatsApp has already been doing that with users’ phone numbers since an update to its privacy policy in 2016, as the Verge notes.) WhatsApp’s bungled rollout and scary-sounding ultimatums fueled the outrage further.

The company aims to debunk these privacy concerns on its FAQ page, in which it stresses that this new policy primarily affects business messaging and Facebook will not have access to users’ location data or message logs. WhatsApp head Will Cathcart also posted a Twitter thread going into more detail.

Nonetheless, rival messaging platforms Telegram and Signal have seen a surge in downloads since WhatsApp announced its deadline for adopting its new privacy policy. Several federal authorities have pushed for WhatsApp to retract its new privacy policy or limited its rollout to users, arguing that the update violates local data protection regulations.

Advertisement

The Indian Government Wants to Break Messaging Encryption, WhatsApp’s Suing

Illustration for article titled The Indian Government Wants to Break Messaging Encryption, WhatsApp's Suing

Photo: Yasuyoshi Chiba (Getty Images)

WhatsApp is taking India’s government to court over a new mandate that it claims will lead to mass surveillance of users in the company’s biggest market

Advertisement

Reuters was first to report on the suit filed in Dehli’s high court, which WhatsApp confirmed to Gizmodo on Wednesday. The suit is WhatsApp’s attempt to push back against the “Guidelines for Intermediaries and Digital Media Ethics Code” (or “intermediary guidelines,” for short); a spate of sweeping tech regulations that go into effect across the country today. Since India’s authorities first rolled the rules out back in February, they’ve drawn skepticism from legal experts and tech policy advocates across the region that have criticized the law for being overly broad in its attempts to wrangle major platforms. As Reuters points out, there’s already at least one other case against the new rules brewing in Dehli’s high court for that same reason.

Specifically, WhatsApp’s suit focuses on a provision stating that all major messaging apps—including encrypted platforms like WhatsApp, Signal, and Telegram—need to give Indian authorities the power to “trace” private messages. Until now, when WhatsApp is approached by authorities with requests for information, those authorities need to ask about a specific account that they can prove is using the platform for something criminal. In a nutshell, the new mandate would mean that these same authorities can approach WhatsApp with a specific piece of criminal content, and order the platform to cough up details about the account that was first caught sharing it.

As always, please don’t take Facebook’s word for this. It’s a stupid approach for a slew of reasons. Experts have already pointed out, there’s really no way for platforms to parse apart whether an account is actually creating this content themselves, or if they’re simply re-sharing something they’ve found elsewhere. Under the new mandate, a WhatsApp user could have their account scrutinized by authorities if they’re trying to fact-check or raise alarms about a piece of problematic content.

WhatsApp pointed Gizmodo towards a company blog post calling out this clause directly. “Traceability forces private companies to turn over the names of people who shared something even if they did not create it, shared it out of concern, or sent it to check its accuracy,” the company wrote.

“Through such an approach, innocent people could get caught up in investigations, or even go to jail, for sharing content that later becomes problematic in the eyes of a government, even if they did not mean any harm by sharing it in the first place.”

There’s also the fact—as technologists have detailed in the past—that it’s impossible to make an encrypted platform traceable without breaking that encryption, a move that will compromise the security of WhatsApp users to potential hacks.

Advertisement

WhatsApp’s encryption has been a persistent thorn in the side of authorities in India, where the platform’s been linked to the spread of persistent—and harmful—misinformation. Towards the end of 2017, rumors that circulated on the platform led to seven men being violently lynched, provoking WhatsApp to ultimately put strict limits on the way people could use the platform to forward messages. Evidently, though, this hasn’t been enough for India’s law enforcement agencies, which have repeatedly tried to get the company to enable traceability over the years.

India Reportedly Demands WhatsApp Reverse Its ‘Discriminatory’ Privacy Policies

Illustration for article titled India Reportedly Demands WhatsApp Reverse Its 'Discriminatory' Privacy Policies

Photo: Drew Angerer (Getty Images)

The international uproar over WhatsApp’s new privacy policy got a jolt of energy this week, with a new letter reportedly from Indian authorities telling the company to walk back its changes to the platform—or else.

Advertisement

TechCrunch was first to get its hands on a leaked letter it claims was sent to WhatsApp by India’s Ministry of Electronics and Information Technology (or MeitY), detailing how the platform’s “problematic” policy updates unfairly target the roughly 400 million WhatsAppers in the region. While these users are essentially being strong-armed into accepting these new terms at the risk of losing their accounts, MeitY’s letter allegedly takes issue with the fact that WhatsAppers across the EU are free to opt-out from the new updates with no repercussions at all.

“It is not just problematic, but also irresponsible, for WhatsApp to leverage this position to impose unfair terms and conditions on Indian users, particularly those that discriminate against Indian users vis-à-vis users in Europe,” the ministry reportedly wrote. Per TechCrunch, the letter gives WhatsApp a week to offer some sort of “satisfactory” response to these accusations, after which the agency will look into taking legal action against the company.

Gizmodo wasn’t able to independently verify the content of the letter in question. When asked for comment, a WhatsApp spokesperson said that the company “[continues] to engage with the government,” and reaffirmed what it’s been saying over and over for the past few months: that any data-sharing between WhatsApp and Facebook won’t touch people’s personal messages.

“Our goal is to provide information about new options we are building that people will have, to message a business on WhatsApp, in the future,” the spokesperson added.

WhatsApp clarified the EU carveout pretty early on when Niamh Sweeney—the policy director for WhatsApp across Europe, the Middle East, and Africa—tweeted out that these impending updates wouldn’t affect the way WhatsApp collected or shared data on folks in the region. While European users did need to agree to some minor tweaks as part of the January update, Europe’s strict data protection laws mandate that users can’t be coerced into sharing their WhatsApp data with the platform’s parent company, Facebook.

For everyone outside of the EU, WhatsApp’s new policies mandate that some amount of a user’s WhatsApp data get shared with Facebook. WhatsApp’s initial announcement was kind of hazy on what data was being shared between the two, and the company’s ongoing attempts to clarify things haven’t helped. In short, the new policies allow businesses to retarget users on Facebook and Instagram based on conversations they might have with customers on WhatsApp.

Advertisement

It’s worth noting here that not long after WhatsApp first announced these impending updates, reports began circulating that Ireland’s Data Protection Commission was mulling a fine of up to €50 million—roughly $61 million—against WhatsApp for allegedly breaching GDPR. Meanwhile, the company’s Irish arm set aside close to $92 million to offset the “administrative fines” WhatsApp anticipates from Ireland’s ongoing investigation.

Meanwhile, this letter from MeitY is only the latest challenge facing WhatsApp in India right now. Back in March, MeitY filed suit against the company with the Dehli High Court on the grounds that the company’s planned policies flouted the country’s longstanding cybersecurity mandates. Not long after, the country’s Competition Commission ordered its own detailed probe into what it suspected was “exploitative and exclusionary conduct” snuck into WhatsApp’s updated terms.

Advertisement

WhatsApp tried defending itself in the High Court case earlier this month by arguing that these new policies aren’t any more invasive than any other app that’s popular in India, pointing to the food-delivery app Zomato and the ridesharing platform Ola as examples. It also argued that while the company might be deleting accounts that don’t comply with the new policies, at least they won’t be deleted right away.

The Extremely Korean Reason Why Samsung Might Ditch Tizen for Wear OS

Illustration for article titled The Extremely Korean Reason Why Samsung Might Ditch Tizen for Wear OS

Photo: Victoria Song/Gizmodo

When I first heard the rumors that Samsung might ditch its proprietary Tizen OS for wearables in favor of Google’s Wear OS, I was flummoxed. Tizen is snappy and free of the many problems plaguing Google’s wearables softeware. In fact, I’d say Tizen has played a large role in making Samsung’s smartwatches the best option for Android users—even if it isn’t perfect. The most logical explanation was that Wear OS offered a better third-party app ecosystem. However, even that didn’t make complete sense given how neglected the platform is and that Tizen OS has been in Samsung watches for seven years now. But now, a report from the Korean news outlet Money Today makes things crystal clear: KakaoTalk refuses to make a dedicated Tizen app.

Advertisement

If you’ve spent a significant time in Korea or are familiar with the Korean or Korean-American community, you know how big KakaoTalk is. Here in the west, the most accurate comparison would probably be WhatsApp, but if WhatsApp was also a pseudo-social network that absolutely everyone in your life used. I mean your grandma, your parents, your significant other, your friends, your coworkers, the CEO of your company, your third-grade teacher—absolutely everyone. According to Statista, the app has more than 50 million monthly active users, of which 46 million are located in South Korea. For context, the population of South Korea in 2020 was about 51 million. And like WeChat in China, KakaoTalk has expanded beyond just being a free chat and voice calling app. It hosts mobile games, an online bank, online shopping, a taxi service, and gift exchanges. And while it’s not officially designed to be, KakaoTalk has also morphed into a pseudo dating app. It’s so ubiquitous, “Ka-talk”, an abbreviated name for the app, has become part of the language. Listen, even my 72-year-old, technology-hating mother who has no idea how to use her smartphone will say things like, “I’ll Ka-talk you later.”

According to the MT report, KakaoTalk refuses to develop a Tizen app for Samsung’s Galaxy Watch because “there is no reason to,” as the market is small and “development is rather difficult.” The best KakaoTalk integration you can get on a Samsung watch is a notification when you receive a KakaoTalk message and the ability to reply with a smart response from the notification screen. The Apple Watch already has a KakaoTalk app where you can view all your chats, send special KakaoTalk-specific emojis, send voice messages, and also reply using smart responses. There’s also already an Android version of the app, so extending that to Wear OS would be less of a headache.

But is this really a compelling reason for Samsung to throw Tizen under the bus? Yes. I don’t know how to accurately convey the power of the extreme national pride Koreans have for home-grown tech, brands, and talent. The best I can say is from the moment you land in Seoul’s Incheon Airport, everything is Samsung. My relatives in Korea are Samsung phone evangelists, and many of them are perplexed why some of us in the American branch of our family use iPhones at all. Do we have no pride? I’m not joking when I say it’s a legitimate point of contention that’s made for awkward moments at family reunions. When Gangnam Style and K-pop landed in America, it was worn as a badge of honor that even the Americans finally recognized Korea’s cultural capital. Most of my conversations with my mom start with a factoid about some Korean accomplishment, such as, “Do you know that Incheon Airport is rated the best airport in the world?” Do not even get me started on when Parasite won the Academy Award for Best Picture. Samsung looms large within the Korean consciousness and so does KakaoTalk. Even though the majority of smartwatch users in Korea use a Samsung, lacking a dedicated KakaoTalk app is a colossal omission for Korea’s most powerful company in its home market.

Broadly speaking, Samsung likely wants more apps to work with its smartwatches and hasn’t made much headway. It’s the one thing that’s stopping it from being the best smartwatch for all Android users outright. Right now its main victory on the third-party app front is that Spotify’s Tizen app is way better than its Wear OS app. Switching back to Wear OS is most definitely a long-term strategic move that may have always been inevitable. But if KakaoTalk was willing to make a dedicated Tizen app, I’m not sure Samsung would throw in the towel just yet.

WhatsApp Will Turn Your Account Into a Useless Zombie If You Don’t Accept Its New Privacy Policy

Illustration for article titled WhatsApp Will Turn Your Account Into a Useless Zombie If You Don't Accept Its New Privacy Policy

Image: WhatsApp, Graphic: Shoshana Wodinsky (Gizmodo)

After facing international backlash over impending updates to its privacy policy, WhatsApp has ever-so-slightly backtracked on the harsh consequences it initially planned for users who don’t accept them—but not entirely.

Advertisement

In an update to the company’s FAQ page, WhatsApp clarifies that no users will have their accounts deleted or instantly lose app functionality if they don’t accept the new policies. It’s a step back from what WhatsApp had been telling users up until this point. When this page was first posted back in February, it specifically told users that those who don’t accept the platform’s new policies “won’t have full functionality” until they do. The threat of losing functionality is still there, but it won’t be automatic.

“For a short time, you’ll be able to receive calls and notifications, but won’t be able to read or send messages from the app,” WhatsApp wrote at the time. While the deadline to accept was initially early February, the blowback the company got from, well, just about everyone, caused the deadline to be postponed until May 15—this coming Saturday.

After that, folks that gave the okay to the new policy won’t notice any difference to their daily WhatsApp experience, and neither will the people that didn’t—at least at first. “After a period of several weeks, the reminder [to accept] people receive will eventually become persistent,” WhatsApp wrote, adding that users getting these “persistent” reminders will see their app stymied pretty significantly: For a “few weeks,” users won’t be able to access their chat lists, but will be able to answer incoming phone and video calls made over WhatsApp. After that grace period, WhatsApp will stop sending messages and calls to your phone entirely (until you accept).

So while WhatsApp isn’t technically disabling your app, the company is making it pretty much unusable.

What these “persistent reminders” will look like.

What these “persistent reminders” will look like.
Graphic: WhatsApp

It’s worth mentioning here that if you keep the app installed but still refuse to accept the policy for whatever reason, WhatsApp won’t outright delete your account because of that. That said, WhatsApp will probably delete your account due to “inactivity” if you don’t connect for 120 days, as is WhatsApp policy.

Advertisement

In a statement to the Verge, a WhatsApp spokesperson reiterated what was already written in the new FAQ: that people’s accounts won’t be deleted, that they’ll continue to receive reminders, and that they won’t lose functionality on the day the deadline hits:

We’ve spent the last several months providing more information about our update to users around the world.

In that time, the majority of people who have received it have accepted the update and WhatsApp continues to grow. However, for those that have not yet had a chance to do so, their accounts will not be deleted or lose functionality on May 15. We’ll continue to provide reminders to those users within WhatsApp in the weeks to come.

Advertisement

While the company has done the bare minimum in explaining what this privacy policy update actually means, the company hasn’t done much to assuage the concerns of lawyers, lawmakers, or really anyone else. And it doesn’t look like these new “reminders” will put them at ease, either.

PlayStation and Discord Are Teaming Up

Discord’s new partnership with PlayStation could help it become the chat app for every platform.

Discord’s new partnership with PlayStation could help it become the chat app for every platform.
Photo: Florence Ion/Gizmodo

Discord, the gamer-focused chat app that’s been in the news a bit more than usual recently, has partnered with Sony’s PlayStation. Details are scarce, but the statement put out by Sony promises to bring “the Discord and PlayStation experiences closer together on console and mobile” beginning next year.

Advertisement

In a blog post, Sony Interactive Entertainment President and CEO Jim Ryan revealed the two companies are “hard at work” connecting Discord with the PlayStation Network. The writing on the wall appears to be a full-fledged Discord experience baked into PlayStation consoles, or perhaps a Discord experience tailored to the console, so it’s easier to chat with folks in the app. PlayStation gamers usually have to deal with a whole dance of cables between a computer and the console to use Discord.

Ryan also said that Sony made a “minority investment” in Discord as part of its Series H funding, citing inspiration from both teams’ “shared passion to help bring friends and communities together in new ways.” The news comes hot on the heels of Discord reportedly turning down acquisition offers, including one from Microsoft.

The latest cash influx from Sony might help explain some of the motives behind Discord’s since-rescinded move to ban access to NSFW channels from the iOS app. The overarching consensus was that the company was reeling in some of its “wild west” tendencies to curry favor from outside investors. It’s not clear how much Sony invested in Discord, but the company has raised nearly $480 million in funding.

For its part, Discord continues as one of the reigning all-encompassing chat apps for gamers, along with a few other competitors like Mumble, Element, and TeamSpeak. New Discord features like Stage Channels, which allows Discord users to manage a voice broadcast with up to 1,000 attendants, suggest the company is setting its sights outside the gaming realm, or at least in a capacity where it’s considered alongside other massive community-based platforms like Twitch.

Though it said no to Microsoft’s offer to fold it into its gaming ecosystem, Discord has the upper hand once it launches a full-fledged PlayStation app. Xbox One and Xbox Series X/S players have access to a Discord app for their platform, but it’s limited to status changes and inviting friends to play along. A full-featured PlayStation app might spur Microsoft to offer Discord in full on the platform, especially since it’s already on Android, iOS, Mac, Windows, and even Linux.

Discord Walks Back iOS Block on NSFW Content

Illustration for article titled Discord Walks Back iOS Block on NSFW Content

Photo: Florence Ion / Gizmodo

Discord has walked back an earlier decision to ban NSFW servers completely from its iPhone and iPad apps.

Advertisement

The company changed the guidelines on accessing NSFW content after experiencing severe pushback from its users. The ban now only applies to servers specifically focused on explicit pornographic content, including any server either “organized” around NSFW themes or where most of the server is devoted to 18-and-up content. Individual channels denoted as NSFW are still accessible, but only behind an opt-in age-gate.

When asked for a statement on the latest change, Discord responded with the following statement, along with links to support articles for users and server owners:

Our goal is always to keep Discord safe, especially for our younger users. Last week, we introduced additional controls to ensure minors will not be exposed to content that is inappropriate for them per App Store guidelines. We realize the community had many questions, and we wanted to clarify our position and which servers will or will not be affected. These updates are outlined in detail on our support articles for users and server owners. We will continue to work with server owners and our partners, and will notify all server owners letting them know which of their servers are impacted.

Discord will continue to comb through servers and channels to ensure they’re adhering to the new designations. It’s also working on a feature to allow servers to self-identify as NSFW.

Discord had initially beefed up its restrictions on NSFW content to comply with Apple’s iOS Developer Guidelines, which allow for “incidental” NSFW content as long as it’s only displayed after the user specifically opts in. But instead of mandating an age-gate where applicable, Discord banned adult iOS users altogether from accessing any NSFW content of any kind. The company then attempted to shift the attention over to Apple for its restrictive content policies in the App Store.

That upset communities of people who rely on Discord to generate revenue or engage with their following. Kink artists, furry groups, and other affiliated communities felt particularly affected by the NSFW policy. One artist, A. Szabla, explained to Rolling Stone how the ban would have negatively impacted queer communities using Discord to organize:

With bans on NSFW I often see a lot of queer art, and queer folks who are trying to view or create this work in order to better connect with their own genders and identities, getting hit the hardest and losing business and income because of these overreaching decisions by tech companies.

Advertisement

It took a week for Discord to soften its stance on the iOS ban, perhaps as a show of faith to its users. However, there are still rumblings reverberating around social media that the company’s recent moves have been motivated in part to appeal as a safe investment to possible buyers—with Microsoft being the frontrunner.

Discord doesn’t have a clean past, which might be why there have been so many recent changes to its terms of use for adult communities. The chat app, which launched in 2015, has a history of allowing offensive content such as child pornography to circulate throughout the platform with few consequences, along with other disturbing content and extremist material. It still doesn’t offer parental controls, but rather points users to a guide for using the built-in privacy and safety features to keep safe.

Advertisement

Apple Never Made iMessage for Android to Lock-In iOS Users, Epic Court Docs Show

Illustration for article titled Apple Never Made iMessage for Android to Lock-In iOS Users, Epic Court Docs Show

Image: Apple

As part of the ongoing legal battle between Fortnite maker Epic and Apple, some new information has come to light confirming the most annoying thing about Apple’s iMessage app: that Apple could make a cross-platform version of iMessage for Android phones, but it won’t because it would be bad for business.

Advertisement

This info comes from testimony that appears in Epic’s brief against Apple, which was posted recently on Reddit. In the document, there are several statements from well-known Apple execs describing the reasons why Apple never made a cross-platform version of iMessage for Android devices.

In one quote dating back to 2013, Eddy Cue—who is now Apple’s senior vice president for internet software and services—said that Apple “could have made a version [of iMessage] on Android that worked with iOS,” providing the possibility that “users of both platforms would have been able to exchange messages with one another seamlessly.”

Sadly, it seems multiple Apple execs were concerned that doing so would make it too easy for iPhone owners to leave the Apple ecosystem, with Apple’s senior vice president of software engineering, Craig Federighi, having said, “iMessage on Android would simply serve to remove [an] obstacle to iPhone families giving their kids Android phones”—a sentiment Epic’s brief says was also shared by Phil Schiller, who back then was in charge of overseeing Apple’s App Store.

It seems these sentiments have been known within Apple for quite some time. The brief describes a 2016 comment from a former Apple employee who said “the #1 most difficult [reason] to leave the Apple universe app is iMessage … iMessage amounts to serious lock-in,” with Schiller having affirmed the comment by saying, “moving iMessage to Android will hurt us more than help us, this email illustrates why.”

The most depressing thing about these statements is that it removes any doubt that Apple could make an Android version of iMessage if it wanted to, but it hasn’t because Apple is more concerned about potentially making it easier for its customers to leave its ecosystem, which has resulted in a needlessly fragmented messaging ecosystem and a sense that Apple is using manufactured exclusivity to hold longtime iMessage users hostage.

Unfortunately, while these testimonies seem to be pretty damning for Apple, it’s unclear if these revelations will force Apple to reconsider porting iMessage over to Android in the future. But at least now we know for sure why it never happened before.

Advertisement

An Android App That Promised Free Netflix Shockingly Just Highly Annoying Malware

Illustration for article titled An Android App That Promised Free Netflix Shockingly Just Highly Annoying Malware

Photo: OLIVIER DOULIERY/AFP (Getty Images)

So-called pirating apps have been around for years—and they have only gained popularity since covid-19 put us all indefinitely on the couch, phone in hand, awaiting a reason (that never comes) to stop streaming.

Advertisement

Well, not all pirating apps have your content-viewing interests in mind. Enter “FlixOnline.” Until recently, this app sat in Google’s Play Store, promising users the opportunity to gain free mobile access to Netflix from anywhere in the world, even if they didn’t have an account. Sounds too good to be true, right?

Yes, well, exactly.

FlixOnline, discovered by security firm Check Point Research, never actually let users binge Breaking Bad or whatever. Instead, the researchers say, it delivered a self-replicating worm onto their devices—the likes of which could potentially be used by hackers in phishing and data-theft operations.

According to researchers, the Flix wormable malware burrows into a phone by abusing its permissions, then uses a victim’s WhatsApp conversations to spread itself. As soon as you download it, Flix asks for access to a variety of your device’s controls. It then hijacks your WhatsApp and uses it to send spammy messages to people who message you. For instance, if your friend sends you, “Hey dude, whaddup,” Flix will secretly auto-reply for you, sending them a, uh, really subtle advertisement for its fake services:

“2 Months of Netflix Premium Free at no cost For REASON OF QUARANTINE (CORONA VIRUS)* VIRUS)* Get 2 Months of Netflix Premium Free anywhere in the world for 60 days. Get it now HERE” [insert malicious link].

If your friend, lost in a confused fog—baffled by the fact that their pal of many years has transformed, overnight, into a robotic Netflix shill—happens to click on the link provided, they get directed to a website where they can download the app, and the malware replicates itself anew. Researchers say the site could easily serve as a way for hackers to steal a victim’s personal information. In truth, it’s hard to imagine most people being, let’s say, gullible enough to follow that last step, but then again, “123456″ remains a popular password.

So, voila! It’s like a moral lesson about the ills of piracy, packed into a very, very stupid app—an app that does literally nothing except hijack your conversations with friends and loved ones to re-spawn its own daft, useless existence.

Advertisement

Of course, the access supplied by an app like this means a bad actor could definitely abuse it to do more than send annoying messages (they could steal your private information and thereby entrap you in an extortion scheme, for instance). Additionally, if the messages being sent to a victim’s contacts were modified to something other than a hacky Netflix ad, or additional malicious links were added to the hijacked WhatsApp messages, a person could have quite a mess on their hands. So, it’s not just an annoying app, but potentially dangerous, too.

Perhaps the worst thing here is that Flix sat in the Play Store for approximately two months, compromising about 500 devices, according to Check Point (the app has since been taken down). It’s another great example of how Google hasn’t always done an amazing job when it comes to weeding out bad apps being distributed on its platform.

Advertisement

“The fact that the malware was able to be disguised so easily and ultimately bypass Play Store’s protections raises some serious red flags,” said Aviran Hazum, manager of mobile intelligence at Check Point. He added that, while this specific malware campaign was halted, the same malware could be deployed again via a different fake app. So… be careful out there, my pirate friends. Remember: There’s no such thing as free content.