Android Malware ‘Necro’ Infected 11 Million Devices via Google Play

A new variant of the Necro Android loader malware has reaped a toll of 11 million devices. Then malicious attacks on an SDK supply chain in Google Play.

The category includes a new version of the Necro Trojan. When the downloading from malicious SDKs to several legitimate apps. Android game modifications, and modified versions of popular programs like Spotify, WhatsApp, or Minecraft.

What is Necro?

Necro is another sophisticating malware designed to run covertly on compromised devices. While masquerading as legitimate applications. Functions include the theft of sensitive user data and unauthorized access to personal accounts.  So even remote execution of commands. The malware can control a host of features on a device. This makes it a serious threat to not only individual users but also businesses.

Several payloads are installed on the victim’s device, and it activates various malicious plugins, like adware loading links through invisible WebView windows, Island plugin, and Cube SDK; modules that download and execute arbitrary JavaScript and DEX files, such as Happy SDK and Jar SDK; tools designed for subscription fraud, such as Web plugin, Happy SDK, and Tap plugin; mechanisms that involve using infected devices as proxies to reroute malicious traffic, such as NProxy plugin.
There were two apps on Google Play containing Necro loader. Both of them are popular.

The first one is the Wuta Camera by ‘Benqu.’ This is some sort of photo editing and beautification tool. More than 10,000,000 downloads on Google Play were seen by Kaspersky.

According to threat analysts, Necro entered the app

when the release of version 6.3.2.148 did. but it does not remove. when version 6.3.6.148 release. Because Kaspersky informs Google.

Even though the trojan has removed in version 6.3.7.138. When It installs through the previous versions still lurking around on Android devices.

The second legitimate application containing Necro is Max Browser from ‘WA message recover-warm.’ It had 1 million downloads from Google Play. They take it away following the post on Kaspersky.
According to Kaspersky, the max browser version 1.2.0 still carries Necro, so there’s no clean version to upgrade to and users are advised to uninstall immediately and switch to an alternative browser.

As Kaspersky notes, the two apps have infected through an ad SDK called ‘Coral SDK’, obfuscating. Its malicious activities and making use of image steganography to download the second-stage payload, shell plugin. that  embedding in seemingly innocuous PNG images

Excepting for official sources, Google has also informed BleepingComputer that they have made aware of the reported apps, which they are investigating.
Outside the Play Store, the Necro Trojan for the most part expands through popular apps’ mods which move about through unofficial websites.
Other examples caught by Kaspersky include WhatsApp mods ‘GBWhatsApp’ and ‘FMWhatsApp, promising better privacy controls and extended file-sharing limits, as well as the Spotify mod ‘Spotify Plus which promises free access to ad-free premium services.

The report also mentions Necro loaders in Minecraft mods and other more famous games like Stumble Guys, Car Parking Multiplier, and Melon Sandbox.

In any of the cases indicated, malicious activity looked the same it displays background ads to fraudulently obtain revenue from an attacker, installed applications and APKs not authorized by a user, and had invisible WebViews to interact with paid services.

To download RAM Antivirus:

Visit the official website, https://ramantivirus.in/ select the version compatible with your operating system, search for the antivirus you want, and click the “Download” button. Once the file downloads. please open it and follow the instructions to complete the installation. After installation, launch RAM Antivirus to begin protecting And Securing your device.