Necro Android Malware Infects Millions

By|
admin
|
2024-09-27
|
Malware Attack

A new variant of the Necro malware loader has infected 11 million Android devices through malicious SDK supply chain attacks via Google Play.

This updated Necro Trojan infiltrated devices through compromised advertising software development kits (SDKs) used by legitimate apps, Android game mods, and altered versions of popular software such as Spotify, WhatsApp, and Minecraft.

Once installed, Necro deploys several malicious payloads on infected devices, activating a range of harmful plugins, including:

  • Adware: Loads ads in invisible WebView windows (Island plugin, Cube SDK)
  • JavaScript and DEX file execution modules: Downloads and runs arbitrary code (Happy SDK, Jar SDK)
  • Subscription fraud tools: Facilitates unauthorized subscriptions (Web plugin, Happy SDK, Tap plugin)
  • Proxy mechanisms: Uses infected devices to route malicious traffic (NProxy plugin)
     

Necro Trojan on Google Play

Kaspersky identified the Necro malware in two popular apps on Google Play.

The first, Wuta Camera by developer 'Benqu,' is a photo editing tool with over 10 million downloads. Necro was embedded in version 6.3.2.148 and remained active until version 6.3.6.148, after which Google was alerted by Kaspersky. Although the malware was removed in version 6.3.7.138, devices using older versions may still be infected.

The second app, Max Browser by 'WA message recover-wamr,' had 1 million downloads before being removed following Kaspersky's report. The latest version, 1.2.0, still carries the Necro Trojan, and users are advised to uninstall it immediately.

Both apps were compromised by an advertising SDK named Coral SDK, which used obfuscation techniques and image steganography to hide its malicious activities and download second-stage payloads disguised as PNG images.
 

Outside of Google Play

Necro is also spread via unofficial websites offering modified versions of popular apps, such as GBWhatsApp and FMWhatsApp, which promise additional privacy controls and enhanced file-sharing features. Another example is Spotify Plus, a mod claiming to offer free access to premium services without ads.

Kaspersky also detected Necro in mods for popular games like Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

Across all cases, the malware behaves similarly, generating fraudulent revenue by displaying hidden ads, installing apps without user consent, and using invisible WebViews to engage with paid services.

While the full scope of infections from these unofficial sources is unclear, it is confirmed that at least 11 million devices were affected via Google Play. Google is currently investigating the reported apps.