A new malware is spreading through WhatsApp on Android, hijacking users’ chats to send malicious messages that are self-propagating.

Cybersecurity researcher Lukas Stefanko alerted The Hacker News that the malware spreads by automatically replying to any WhatsApp message notification with a link to a malicious app.

When clicked, the link to the fake app redirects users to a lookalike Google Play Store site.

If users install the fake app, it prompts victims to grant notification access, which is then abused to carry out the wormable attack.

The cybersecurity news site reported that this hack leveraged off WhatApp’s quick reply feature to send replies automatically.

Originally, the feature enables users to reply to incoming messages directly from their notification tray rather than going into the app.

The malware also requests access to run in the background and to be able to overlay on other apps.

This enables it to operate when users were running other apps, so it could then steal credentials or other sensitive information.

Stefanko said this secondary feature was to trick users into an adware or subscription scam.

He said that though the malware code was currently only capable of sending automatic replies to WhatsApp contacts, it could potentially be extended to other messaging apps that use Android’s quick reply feature.

The messages – which cunningly are sent only once per hour to the same contact – are fetched from a remote server, meaning the content and links being sent now could change to other types of malicious content later.

Stefanko said it was his first time analysing Android malware that had the ability to spread itself via WhatsApp messages.

He added that the way it infected the first victims was not clear, though generally wormable malware can expand among victims incredibly quickly.

Users were reminded to only download apps via trusted sources, verify if the app was built by a genuine developer, and double check the app permissions requested before installing.