Millions at Risk as Necro Trojan Infects Google Play Apps

The Necro malware has resurfaced with enhanced capabilities, posing a growing threat to smartphone users globally. Initially discovered in 2019, Necro first came to light when it infected the widely-used CamScanner – Phone PDF Creator apps, which had more than 100 million downloads on Google Play. Since then, the malware has evolved significantly. Its latest variant has been found distributed through both legitimate applications on Google Play and modified versions of popular apps and games that are available on unofficial sources.

Two high-profile applications infected with the malware are Wuta Camera, which had more than 10 million downloads, and Max Browser, with over 1 million downloads from Google Play. These infected apps have since been removed from the official store following the discovery. However, the malware's reach extends beyond these, infiltrating unofficial mods of globally popular apps like Spotify, WhatsApp, and well-known games such as, Stumble Guys, Car Parking Multiplayer and Melon Sandbox. These infected versions, often circulated through third-party and unofficial sources, pose a hidden danger to users who may not suspect the risks involved in downloading software from outside official app stores.

The widespread distribution of Necro has been linked to the use of untrusted ad integration solutions by app developers, exposing vulnerabilities in the apps’ advertising software development kits (SDKs). For instance, one infected Spotify mod was found to contain an SDK designed to integrate multiple advertising modules. One of these modules was detected sending sensitive data such as device and app information to a command-and-control (C&C) server, which subsequently delivered a hidden malicious payload through an image file. In the case of the WhatsApp mod, the infection method was slightly different. This mod used Google’s Firebase Remote Config cloud service for communication with the C&C server, although the final outcome was the same—infecting the device with a trojan that shares common characteristics with the Necro family, such as similar code structure, functionality, and use of the same known C&C servers.

Once installed on a device, Necro exhibits a range of harmful behaviors. The malware has the ability to download additional malicious modules that engage in various activities, including displaying ads in invisible windows and automatically clicking on them to generate fraudulent ad revenue. It can also download executable files, install third-party applications without user consent, and open arbitrary links within hidden WebView windows, allowing it to execute JavaScript code silently.

In addition to these activities, Necro’s modules can subscribe users to paid services without their knowledge, potentially leading to unauthorized charges. Furthermore, the malware can redirect internet traffic through infected devices, using them as proxies, which can help attackers conduct illicit activities while masking their true location and identity.

Kaspersky, the cybersecurity firm that discovered this latest iteration of Necro, has observed the malware actively targeting tens of thousands of users between August 26 and September 15, with a concentration of victims in countries like Russia, Brazil, Vietnam, Ecuador, and Mexico. This discovery underscores the growing threat posed by malware spread through untrusted SDKs and unofficial app sources, where users may unknowingly download infected software.

The case of Necro serves as a reminder of the importance of vigilance when downloading applications, even from official platforms like Google Play. The risks are amplified when apps are downloaded from third-party or unofficial sources, which often lack the security scrutiny applied by official app stores. As cyber threats continue to evolve, it becomes increasingly important for users to be aware of the potential risks and take proactive steps to protect their devices from malicious software like Necro.