Summarize

Simplifying... Inshort

The Necro malware, capable of installing harmful plugins, has infected 11 million Android devices through apps on Google Play Store and unofficial websites.
Cybersecurity firm Kaspersky identified two infected apps, Wuta Camera and Max Browser, which used a stealthy advertising SDK to hide their malicious activities.
The malware was also spread via modified versions of popular apps like WhatsApp and Spotify, distributed through unofficial sites.

Was a long read? Making it simpler...

Next Article

Kaspersky identified the infected apps

This malware has infected 11M Android devices via Play Store

By Dwaipayan Roy

Sep 24, 2024

06:53 pm

What's the story

A new variant of the Necro malware for Android, has infected over 11 million devices. This widespread infection was facilitated through malicious software development kits (SDKs), embedded in legitimate apps, game mods, and altered versions of popular software like Spotify, WhatsApp, and Minecraft. The malware was primarily distributed via Google Play Store but also through unofficial websites, hosting modified versions of well-known apps.

Malware functions

Necro's malicious capabilities

The Necro malware is capable of installing multiple payloads onto infected devices, and activating various harmful plugins. These include adware that operates via invisible WebView windows (Island plugin, Cube SDK), modules that can download and execute arbitrary JavaScript, and DEX files (Happy SDK, Jar SDK). Tools designed for subscription fraud (Happy SDK, Web plugin, Tap plugin), and mechanisms using infected devices as proxies to route malicious traffic (NProxy plugin) are also included.

Infected apps

Kaspersky identifies infected apps

Kaspersky, a global cybersecurity company, identified two apps on Google Play that were infected with the Necro loader. The first app is Wuta Camera by 'Benqu,' a photo editing tool with over 10 million downloads. The second app carrying the malware is Max Browser by 'WA message recover-wamr,' which had one million downloads before being removed following Kaspersky's report.

Stealth tactics

Necro's stealth tactics and Google's response

The two apps were reportedly infected by an advertising SDK called 'Coral SDK.' This SDK used obfuscation techniques to conceal its malicious activities, and image steganography to download a second-stage payload, shellPlugin, that is disguised as harmless PNG images. In response to these findings, Google informed BleepingComputer that they are aware of the reported apps and are currently investigating them.

Unofficial distribution

Distribution beyond Google Play

Beyond Play Store, the Necro malware was also spread via modified versions of popular apps distributed through unofficial websites. These include WhatsApp mods 'GBWhatsApp' and 'FMWhatsApp,' which promise superior privacy controls and extended file-sharing limits, as well as a Spotify mod named 'Spotify Plus' that provides free access to ad-free premium services. Minecraft mods and mods for other popular games such as Stumble Guys, Car Parking Multiplayer, and Melon Sandbox were also found to be infected with the Necro loader.