Cybersecurity researchers have revealed malware managed to sneak into the Google Play app store, infecting more than an estimated 11 million devices. The team from Kaspersky said the malware, called Necro, infiltrated an advertising software development kit (SDK) named ‘Coral SDK’, which should have been used to integrate different advertising modules into an application.
Several apps have been confirmed to be infected, including Wuta Camera and Max Browser. In addition, WhatsApp mods from unofficial sources and a modified version of Spotify known as Spotify Plus also contain the malware.
When Kaspersky discovered the malware and alerted the developers, Wuta Camera was said to have been fixed, and the malware was removed. If you happen to use this app, be sure to update it to version 6.3.7.138. However, Max Browser remains compromised, and researchers recommend deleting the app and switching to an alternative browser.
Using mods of #Spotify, #WhatsApp, or #Minecraft? You could be at risk! ⚠️
Discover how the Necro Trojan targeted 11M #Android users—and what it means for your #security ⇒ https://t.co/3CogDXJy3z pic.twitter.com/o2cc88Q9Xx
— Kaspersky (@kaspersky) September 26, 2024
The researchers also found that Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox had infected game mods.
The analysts said that downloaded payloads can perform various malicious activities, such as displaying ads in invisible windows and interacting with them, downloading and executing arbitrary DEX files, installing other applications, opening specific links in hidden WebView windows, and executing JavaScript code. It can also create a tunnel through the victim’s device and potentially subscribe to paid services without the user’s knowledge.
What is the Necro malware infecting Android devices?
Necro is a sophisticated Android downloader that receives commands from its creators to carry out malicious activities. Kaspersky’s systems have detected its spread across multiple countries, which suggests that it’s part of a larger, ongoing campaign that poses an increasing threat to mobile users globally.
The malware is designed to generate revenue for the attacker by executing processes in the background of the infected device.
The researchers recommend if you have any of the aforementioned Google Play apps installed and the versions are infected, update the app to a version where the malicious code has been removed, or delete it.
They also remind users to download applications from official sources only. Applications installed from unofficial platforms may contain malicious functionality.
In May, ReadWrite reported on another malware targeting Android devices. ThreatFabric discovered “Brokewell,” posing as a fake Chrome update.
Featured image: Ideogram