Android Malware ‘Necro’ Infected 11 million Devices through Google Play

Recently, a new kind of cyber threat has emerged in the name of Android Malware ‘Necro,’ a form of Android malware that infected more than 11 million devices along with malicious SDK supply chain attacks through Google Play.

Android Malware 'Necro'

This is quite shocking and portrays how the level of sophistication in cybercrimes is increasing and how vulnerabilities exist within widely used applications.

How Does Android Malware ‘Necro’ Propagate: Malicious SDKs and Widely Used Apps

The Android Malware ‘Necro’ Trojan has been a new version that has penetrated devices using compromised ad SDKs delivered in several apps. The compromised SDKs are found in Android game mods and other applications that have been modified, such as famous applications like Spotify, WhatsApp, and Minecraft. This malware was well hidden inside the applications, making detection by users impossible.

Payloads and Malicious Activities

After installation, the Android Malware ‘Necro’ Trojan downloads and installs various payloads on target devices, which launch many malicious plugins. These include the following:

  • Adware with links acting through WebView windows that are not visible on the screen (the Island plugin, Cube SDK).
  • Modules for downloading and running arbitrary JavaScript and DEX files (Happy SDK, Jar SDK).
  • Tools designed specifically for committing subscription fraud (Web plugin, Happy SDK, Tap plugin).
  • Systems designed to turn devices into proxies to transmit malicious traffic (NProxy plugin).

Detecting the Risk: Kaspersky Finds

Russian cybersecurity company Kaspersky found the Android Malware ‘Necro’ loader in two highly downloaded applications in Google Play. These had millions of active users:

  1. Wuta Camera by Benqu: a photo editing application with more than 10 million downloads. The application versions 6.3.2.148 through 6.3.6.148 had Necro installed and remained there until Kaspersky informed Google.
  2. Max Browser by WA message recover-warm: with 1 million downloads, also carries Necro. The last update, 1.2.0, still contains the malware, so Kaspersky advises users to uninstall this version as soon as possible.

Malicious SDKs: The Hidden Danger

Both applications were compromised by the malicious actions of an advertising SDK, namely, Coral SDK, which used obfuscation techniques to hide its malicious activities and also employed image steganography to download the payload, shell plugin, masquerading as innocent-looking PNG images.

Google’s Response: Investigating the Threat

Following the publication of the report, Google revealed to BleepingComputer that it had been aware of the apps in question and was currently investigating the matter. However, millions of devices had already been harmed through this potential compromise.

Unofficial Sources Beyond Google Play

Outside the official Google Play Store, it appears that the Android Malware ‘Necro’ is mostly propagating through modified versions of popular apps known as mods, disseminated over unofficial websites. There are various variants ranging from GBWhatsApp and FMWhatsApp, allegedly enhanced versions of privacy controls and file-sharing limits, to the Spotify Plus mod, which suggests access to unpaid premium services.

The report further indicates other game mods through which users have been infected with the Android Malware ‘Necro’ loader, such as Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. In all these cases, the malware displays nearly identical malicious activities, including displaying hidden background ads to generate fake revenue for attackers, installing apps without permission, and using an invisible WebView to access paid services.

Total Infections: Increasingly Becoming a Threat

These infections from the recent wave of Android Malware ‘Necro’ Trojans are almost impossible to confirm. However, at least 11 million Google Play instances have been confirmed to have been infected due to the unreliable reporting coming from unofficial Android software websites.

Conclusion: Remaining Vigilant on Cyber Threats

While threats in the cyber domain are continuously evolving, users need to be more cautious when installing apps on their devices. The increasing types of malware, such as Android Malware ‘Necro,’ have highlighted the importance of cybersecurity measures, especially when downloading software from non-official sources. It is, therefore, recommended that users check the legitimacy of applications before installing them and maintain updated security software against possible threats.

For more details on malware protection and various ways to secure your devices, stay tuned to our news feed.