Google Play Apps Under Siege: Understanding the Necro Trojan Threat

 


Major Malware Alert: Necro Trojan Infects Popular Google Play Apps

A recent report from Kaspersky has uncovered a serious security threat: the Necro Trojan has infected two applications on the Google Play Store, racking up a combined total of about 11 million downloads. This multi-stage loader was first identified in 2019 when it targeted the widely used CamScanner app, which has over 100 million downloads.

The Infected Applications

The current threat involves Wuta Camera, downloaded over 10 million times, and Max Browser, with more than 1 million downloads. Following Kaspersky's findings, both infected versions have been removed from Google Play, but the damage may have already been done.

How the Necro Trojan Spreads

The new variant of Necro is being distributed through both legitimate Google Play applications and modified versions of popular apps and games found on unofficial platforms. Kaspersky’s research indicates that unofficial mods for widely used apps like Spotify and WhatsApp, as well as games like Minecraft and Stumble Guys, have also been compromised.

Mechanism of Action

The malware’s infiltration is often linked to the use of untrusted ad integration solutions by app developers. For example, the Spotify mod contained an SDK that facilitated multiple ad modules, one of which was found transmitting device information to a command-and-control (C&C) server and receiving a hidden payload.

In the case of the WhatsApp mod, a different approach was used: it leveraged Google’s Firebase Remote Config for C&C communication, ultimately delivering the same malicious payload.

Capabilities of the Necro Trojan

Kaspersky has detailed several alarming functionalities of this Trojan, including:

  • Displaying ads in hidden windows and clicking on them automatically
  • Downloading malicious executable files and installing unauthorized apps
  • Opening links in invisible WebView windows to execute harmful JavaScript

Additionally, the Trojan can subscribe users to paid services without consent and redirect internet traffic through infected devices, effectively using them as proxies.

Geographic Impact

From August 26 to September 15, the Necro Trojan was reported to target tens of thousands of users across several countries, including Russia, Brazil, Vietnam, Ecuador, and Mexico.

Conclusion

This recent outbreak highlights the ongoing risks associated with app downloads, particularly from unverified sources. Users are urged to exercise caution and remain vigilant about their app choices.

No comments:

Fake Job Interviews, Real Threats: The Rise of OtterCookie Malware

  North Korean Hackers Unleash OtterCookie Malware in Sophisticated Job Scam North Korean cyber operatives have unveiled a new weapon in the...