In a concerning discovery, Necro malware has resurfaced in altered versions of popular Android apps, including those associated with widely used platforms such as Spotify, WhatsApp, and Minecraft. Researchers found the latest version of this dangerous malware loader hidden in legitimate apps like Wuta Camera and Max Browser, some of which were available on the Google Play Store. The threat has already impacted millions of users globally, exposing them to potential data breaches, financial theft, and device manipulation.

Necro Malware on Play Store Apps

Security researchers from Kaspersky identified the presence of Android malware in a variety of apps, with some of these malicious versions downloaded over 11 million times. The compromised apps include:

• Wuta Camera – Nice Shot Always (com.benqu.wuta) – with over 10 million downloads.
• Max Browser-Private & Security (com.max.browser) – with more than 1 million downloads.

While the Max Browser was removed from the Play Store, developers updated Wuta Camera to eliminate the malware. Fortunately, the developers fixed the problem revealed in this article for the latest version 6.3.8.148 on September 8, 2024. Yet, they still shroud its source, and hackers believe the attackers introduced the malware using a compromised SDK for advertising integration.

Necro: A Persistent Threat

Necro, which should not be confused with the similarly named botnet, first appeared in late April 2019 when it was surreptitiously included in the Document scanner app called CamScanner. At the time, it arrived bundled in a compromised ad software development package from a third-party company known as AdHub. For example, Android malware collects additional malware from a remote server and downloads it to the victim’s computer as a loader for other malware.

Necro’s latest release acts like a Trojan since it not only employs obfuscation in its payloads but also uses steganography whereby it conceals its actual files in other more harmless ones such as images. As soon as it is installed, the malware generates hidden ads, gains unauthorized access to download files with arbitrary content, and even installs applications on the infected device without prior permission from the user.

Once Android malware infects a device, it unleashes several malicious modules or plugins that give it a wide range of capabilities. These modules include:

• NProxy: Creates a tunnel through the victim’s device for malicious traffic.
• Island: Generates random intervals to display intrusive ads.
• Web Module: Periodically contacts a command-and-control (C2) server to execute code with elevated permissions.
• Cube SDK: Handles background ad loading.
• Tap: Downloads JavaScript code from the C2 server to covertly view and load ads.
• Happy SDK/Jar SDK: Combines functionalities from multiple modules for more efficient operations.

These plugins allow the malware to manipulate the infected device extensively, including downloading and executing malicious Java files, running unauthorized processes, and even opening paid subscription services.

Distribution Through Modded Apps

A significant method for distributing Android malware is through modded versions of popular apps and games hosted on unofficial app stores and websites. Once installed, these apps initialize a module called Coral SDK, which sends a request to a remote server. The server then responds with a Base64-encoded Java archive (JAR) file hidden within an image file, which contains the main Android malware payload.

Necro’s Global Impact

Kaspersky’s telemetry data indicates that between August 26 and September 15, 2024, over ten thousand Android malware attacks were blocked worldwide. The countries most affected include Russia, Brazil, Vietnam, Mexico, Ecuador, and Taiwan.

This wave of attacks shows how Android malware can download the next version to fit the operational needs of the attackers. I also discovered that attackers can use the malware in both mass attacks and mass-targeted attacks, making it an even more powerful tool in cyberspace.

Necro’s Advanced Evasion Tactics

The use of steganography to hide the malware’s payload is a rare and advanced technique for mobile malware. As a result, Android malware can slip past typical security measures since the code will be hidden in image files. Moreover, the malware employs additional form of camouflage to increase its resistance to detection by security programs; this makes it quite difficult to detect.

Google’s Response and Security Measures

Google has been decisive after the discovery, pulling the dangerous versions of these apps from the Play Store before the news came out. Google claims Play Protect, the security features that run on Android devices and scan apps, has been proactively shielding users from Android malware variants.

A Google spokesperson emphasized that Play Protect automatically enables by default on Android devices with Play Services, offering users a safeguard even if they inadvertently download apps from unofficial sources.

Conclusion

The re-emergence of Necro malware in well-known Android applications establishes that malignant SDK and subservient applications remain a threat. This is because it poses a big challenge to information technologists, because it is adaptive, very discreet, and capable of changing many of its characteristics depending on the delivery method involved. Experts encourage people to be careful while downloading apps, even from the Google Play Store, and they should always update their existing apps to engage in the fight against malware.

But as Android malware and similar tools develop, both developers and users have to be wiser, to keep threats, as effective as Android malware, away from their networks and systems.

I believe that this highlights the importance of caution when downloading apps, even from trusted sources, and the need for robust security practices to combat sophisticated threats. Now what do you think, how can users protect themselves from malware hidden in legitimate apps? What role should app developers play in preventing malware integration?

Share your thoughts.