Through malicious SDK supply chain operations, a new version of the Necro malware loader for Android was installed on 11 million devices via Google Play.
This latest iteration of the Necro Trojan was installed via Android game mods, Spotify, WhatsApp, and Minecraft modifications, as well as malicious advertising software development kits (SDKs) utilized by genuine apps.
Necro launches a number of malicious plugins and installs many payloads on compromised devices, such as:
• Adware that loads links through invisible WebView windows (Island plugin, Cube SDK)
• Modules that download and execute arbitrary JavaScript and DEX files (Happy SDK, Jar SDK)
• Tools specifically designed to facilitate subscription fraud (Web plugin, Happy SDK, Tap plugin)
• Mechanisms that use infected devices as proxies to route malicious traffic (NProxy plugin)
Necro Trojan on Google Play
Necro loader was found to be present in two popular Google Play apps, according to Kaspersky. The first is Wuta Camera, a photo editing and beautifying app developed by “Benqu,” which has amassed over 10 million downloads on Google Play.
According to threat experts, Necro first surfaced in the app with version 6.3.2.148 and stayed implanted until version 6.3.6.148, at which point Kaspersky alerted Google.
Even though the trojan was eliminated in version 6.3.7.138, Android devices may still be vulnerable to payloads that were deployed using earlier versions.
Max Browser by ‘WA message recover-wamr,’ a legal software that had one million downloads on Google Play before being taken down in response to Kaspersky’s discovery, is the second program that contained Necro.
It is advised that users of Max Browser delete the web browser right away and use an alternative because, according to Kaspersky, the most recent version of the browser—1.2.0—still contains Necro. As a result, there isn’t a clean version of the browser to upgrade to.
According to Kaspersky, the two apps were infected by the “Coral SDK” advertising SDK, which used image steganography to download the second-stage payload, shellPlugin, under the appearance of benign PNG pictures, and obfuscation to conceal its malicious activity.
Google stated that they were looking into the reported apps and were aware of them.
Outside official sources
The main way that the Necro Trojan is transmitted outside of the Play Store is by way of customized apps, or mods, that were made available through unofficial websites.
Kaspersky found some notable examples, such as the WhatsApp modifications “GBWhatsApp” and “FMWhatsApp,” which offer improved privacy settings and increased file-sharing restrictions. Another is “Spotify Plus,” a Spotify mod that offers free access to premium services devoid of advertisements.
The Necro loader-infected Stumble Guys, Car Parking Multiplayer, Melon Sandbox, and other famous game mods are also mentioned in the paper along with their modifications for Minecraft.
The harmful behavior in each case was the same: installing apps and APKs without the user’s permission, leveraging invisible WebViews to interface with premium services, and displaying advertisements in the background to make fraudulent income for the attackers.
Although the entire number of infections caused by this most recent Necro Trojan wave is unknown, at least 11 million infections have come from Google Play. This is because unauthorized Android software websites do not consistently publish download figures.
Also read: Automation in Oil and Gas: Horizons and Expectations for the Next 5 Years
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
