Researchers have discovered a new version of the SpyNote RAT that disguises itself as a legitimate Netflix app to gain access to a device. The malware, once installed, allows a malicious user to control the device, executing commands and accessing personal information.

The latest version of the SpyNote Remote Access Trojan (RAT), discovered by researchers at Zscaler, was created using the SpyNote Trojan Builder. It mimics a legitimate Netflix app for Android devices, even using the same icon as the real Netflix app. Once installed the icon is removed, but the malware continues to run on the device. The malware uses free DNS services to communicate with the command and control server.

The Trojan exploits a vulnerability in Android Services in order to allow the malware to run constantly in the background, without a user interface. And by linking the malware as a boot event, every time the device reboots, the malware is activated again.

The malware provides hackers with command execution abilities, allowing them to root the device with additional vulnerabilities. The RAT can take screen captures and record conversations, saving recorded content to an mp4 file and sending it to the command and control server. The C&C server may also issue commands to click photos on the device’s camera. It steals SMS messages and contacts, which can be used to further spread the malware, and it continually collects location information on the device, so the hacker can pinpoint the user’s exact physical location.

The malware also automatically uninstalls anti-virus software in the hopes of evading detection.

Zscaler warns users about the proliferation of malware built using the SpyNote Trojan builder, noting that they have discovered more than 120 variants in the first two weeks of January 2017 alone.

In order to protect themselves from SpyNote, and other malware, Zscaler encourages customers to download apps only from trusted sources, and avoid third-party app stores. In particular, users are told to avoid downloading games that have not yet been officially released on Android devices, noting that Android users have been tricked into downloading malware disguised as the popular SuperMarioRun game, which to date has been released only for IoS users.

This is already the second scam targeting Netflix customers in 2017. Earlier this month, it was discovered that many Netflix customers were victims of a phishing scam, intended to steal billing and credit card information from users.