Blog Details

  • Home
  • Blog
  • Malicious Apps on Google Play Store Deliver Necro Malware to Millions
Malicious Apps on Google Play Store Deliver Necro Malware to Millions

Malicious Apps on Google Play Store Deliver Necro Malware to Millions

Several legitimate Android apps, including popular ones like Spotify, WhatsApp, and Minecraft, have been altered to deliver a new variant of the Necro malware loader, according to cybersecurity firm Kaspersky. This new strain has been found in malicious versions of legitimate apps, some of which were available on the Google Play Store, with a cumulative download count of over 11 million.

The infected apps include:

  • Wuta Camera - Nice Shot Always (com.benqu.wuta) with over 10 million downloads.
  • Max Browser-Private & Security (com.max.browser) with over 1 million downloads.

As of now, Max Browser has been removed from the Play Store, while Wuta Camera has been updated (version 6.3.7.138) to remove the malware. A subsequent version, 6.3.8.148, was released on September 8, 2024.

The exact method of compromise for these apps remains unclear, but a rogue software development kit (SDK) intended for integrating advertising capabilities is suspected to be the culprit.

Necro Malware: A Persistent Threat

Necro, a malware loader initially discovered by Kaspersky in 2019, has resurfaced with new capabilities. The malware was originally hidden in a popular document scanning app called CamScanner, which later attributed the infection to an advertisement SDK provided by a third-party, AdHub. The SDK contained a malicious module that retrieved additional malware from a remote server, acting as a loader for various types of malware on victim devices.

The new version of Necro exhibits similar behavior but employs advanced obfuscation techniques to evade detection. It utilizes steganography to conceal its payloads, a rare tactic for mobile malware.

How Necro Works

Once installed, the malicious apps activate a module named Coral SDK, which initiates communication with a remote server. This server sends a link to a PNG image hosted on adoss.spinsok[.]com, which, upon extraction, reveals the primary payload – a Base64-encoded Java archive (JAR) file.

The malware's capabilities include:

  • Displaying Ads in Invisible Windows: Necro can display ads in invisible windows and interact with them covertly.
  • Executing Arbitrary DEX Files: It can download and execute arbitrary DEX files, effectively installing additional applications without user consent.
  • Opening Links in Invisible WebView Windows: This functionality allows the malware to open any link in a hidden WebView and execute JavaScript code, potentially subscribing users to paid services without their knowledge.
  • Running a Tunnel Through the Victim's Device: Necro can create a tunnel through the infected device using the NProxy module, potentially enabling further malicious activities.

Modular Architecture for Maximum Impact

Necro's modular architecture allows it to perform a variety of functions depending on the modules it downloads from the command-and-control (C2) server. These modules include:

  • NProxy: Creates a tunnel through the victim's device.
  • island: Generates a pseudo-random number to set intervals for displaying intrusive ads.
  • web: Periodically contacts the C2 server and executes arbitrary code with elevated permissions.
  • Cube SDK: Loads other plugins to handle ads in the background.
  • Tap: Downloads arbitrary JavaScript code and a WebView interface from the C2 server for covertly loading and viewing ads.
  • Happy SDK/Jar SDK: Combines NProxy and web modules with slight modifications.

The recent discovery of the Happy SDK suggests that the threat actors are experimenting with a non-modular version of Necro, potentially adding new features or simplifying its deployment.

Global Reach and Impact

Kaspersky's telemetry data indicates that it blocked over ten thousand Necro attacks worldwide between August 26 and September 15, 2024. The countries most affected include:

  • Russia
  • Brazil
  • Vietnam
  • Ecuador
  • Mexico
  • Taiwan
  • Spain
  • Malaysia
  • Italy
  • Turkey

"This new version is a multi-stage loader that uses steganography to hide the second-stage payload, a very rare technique for mobile malware, as well as obfuscation to evade detection," said Dmitry Kalinin, a researcher at Kaspersky. "The modular architecture gives the Trojan's creators a wide range of options for both mass and targeted delivery of loader updates or new malicious modules depending on the infected application."

Protecting Against Mobile Malware

To protect against threats like Necro, users should:

  • Download Apps Only from Trusted Sources: Avoid unofficial app stores and be cautious even when downloading from the Google Play Store.
  • Check App Permissions: Be wary of apps requesting excessive permissions.
  • Update Apps Regularly: Ensure that all apps are updated to the latest versions, as these often contain security patches.
  • Use Mobile Security Solutions: Employ a reputable mobile security solution to detect and block malware.

As mobile malware becomes increasingly sophisticated, users and organizations must remain vigilant and proactive in their security measures to safeguard their devices and data.

© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067