[bulgr0z]

It's been a long time since I have had a look at Android permissions; is there any legitimate usecase for the "BIND_NOTIFICATION_LISTENER_SERVICE" permission used in the app ? It also feels very wrong that a non-system app would be able to interract with the inline reply field of the notification, is this ability tied to the permission itself ?

In any case, this obviously targets the less savvy users and it would probably be better labelled as "phishing" rather than "wormable".

[makomk]

It's used to send notifications to things like smart watches, or to other computers via apps like KDE Connect (which I think also allows people to interact with the notifications).

[londons_explore]

It's also a minimum of 3 user taps to enable this permission. It isn't like the regular camera or contacts permissions requests.

[bulgr0z]

I dont think the number of taps changes anything for the target user of this app; the "free netflix" promise would have my mom calling me to help her follow the screenshot instructions and scam herself.

[Larrikin]

Wouldn't she also get a virus on a computer if she was convincing herself of such things. At some point there's an onus on the user to take some security precautions unless we want all our devices to be locked down consumption only toys.

[zibzab]

You can define a security policy for these messages.

Maybe WhatsApp devs ignored that.