Delete These Two Apps Immediately: 11 Million Smartphones Compromised
Compromised Apps Distributing Malware
Altered versions of popular apps on Android, linked to Spotify, WhatsApp, and Minecraft, have been illegally utilized to distribute a new variant of a notorious malware loader known as Necro.
Kaspersky, a cybersecurity firm, reports that some of these malicious applications were found on the Google Play Store and have collectively accumulated over 11 million downloads.
Notable examples include the following:
- Wuta Camera – Nice Shot Always – over 10 million downloads
- Max Browser-Private & Security – over 1 million downloads
Currently, Max Browser is no longer available for download on the Play Store, while the Wuta Camera app has been updated (version 6.3.7.138) to eliminate the malware.
Understanding the Malware Compromise
It remains unclear how these apps became infected with the malware, but suspicions point towards an unauthorized Software Development Kit (SDK) that integrates advertising functionalities.
Necro was initially discovered by the Russian cybersecurity company in 2019 and was integrated into a popular document scanning application called CamScanner.
Later, CamScanner attributed the issue to a third-party advertising SDK named AdHub, which allegedly contained a harmful module that could retrieve malware from a remote server, effectively acting as a “loader” for various types of malware on victims’ devices.
The Threat Posed by Android Malware Necro
The latest version of the malware continues this trend, employing obfuscation techniques to evade detection, particularly utilizing steganography to conceal its payload.
Kaspersky researcher Dmitry Kalinin noted, “The downloaded payloads may, among other things, display ads in invisible windows and interact with them, download and execute DEX files, and install downloaded applications.”
Additionally, it has the capability to “open arbitrary links in invisible WebView windows and execute any JavaScript code contained within, creating a connection through the victim’s device and potentially subscribing them to paid services.”
Main Distribution Channels of Necro
One primary distribution method for Necro involves modified versions of popular applications and games hosted on unofficial websites and app stores.
Upon downloading, these applications initialize a module called Coral SDK, which subsequently issues an HTTP POST request to a remote server.
The server then responds with a link to a seemingly innocent PNG image file hosted on adoss.spinsok[.]com, from which the SDK extracts the main payload, a Base64 encoded Java archive (JAR).
Kaspersky’s telemetry indicates that over ten thousand Necro attacks have been blocked globally between August 26 and September 15, 2024, with the highest numbers of attacks reported in Russia, Brazil, Vietnam, Ecuador, Mexico, Taiwan, Spain, Malaysia, Italy, and Turkey.
All identified harmful versions of the apps have been removed from Google Play.
Android users are also automatically protected from known variants of this malware through Google Play Protect, which is enabled by default on devices with Google Play Services.
Google Play Protect alerts users or blocks apps exhibiting harmful behavior.