Security researchers at Kaspersky Lab Inc. have discovered a new version of the Necro malware that has been installed on at least 11 million Android devices via Googleย Playย and unofficial app sources.
For those unaware, Necro malware first emerged in 2019 in CamScanner, a Phone PDF creator app that was downloaded more than 100 million times from Google Play.
However, the new variant of the Necro malware is a multi-stage loader that uses advanced methods like steganography and obfuscation to evade detection and hide payloads.
Further, the malware was installed on Android devices through malicious advertising software development kits (SDK) used by legitimate apps on Google Play and modified versions of popular software, such as Spotify and WhatsApp, as well as Android game apps like Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox available through unofficial app stores.
Kaspersky found the new Necro malware in two apps on Google Play. The first is “Wuta Camera,” a free app offering real-time beautification, facial feature adjustments, and makeup filters. Developed by “Benqu,” this app has over 10,000,000 downloads on Google Play.
According to Kaspersky, the Necro loader was present from version 6.3.2.148 until 6.3.2.148 of Wuta Camera, when the security company notified Google.
While the malicious code was removed in version 6.3.7.138, Android users who are using a version lower than that are still at risk and are requested to update it immediately.
The second legitimate app that had the Necro malware is โMax Browser,โ created by “WA message “recover-warm.”
This web browser had been downloaded over a million times from Google Play until it was removed following Kaspersky’s notification.
As per Kaspersky, the latest version, 1.2.0, still contains the Necro loader and is available on third-party resources. It advises users to uninstall this version immediately and switch to a different browser.
In both cases, Kaspersky says they were infected by an advertising SDK named ‘Coral SDK,โ which used obfuscation methods to hide its malicious activities. It also used image steganography for the second-stage payload, shellPlugin, disguised as harmless PNG images.
Once an Android device is infected, the malware activates a range of malicious plugins, like displaying ads in invisible windows in the background to generate fraudulent revenue for the attackers, modules that download and execute arbitrary JavaScript and DEX files, install downloaded apps, tunnel through the victimโs device, and even โ potentially โ take out paid subscriptions.
While the exact number of Android devices infected by this latest Necro malware is unknown, it is estimated to have affected at least 11 million Android devices from Google Play alone.
According to Kaspersky, the malware was seen targeting tens of thousands of users in Russia, Brazil, Vietnam, Ecuador, and Mexico between August 26th and September 15th.
To protect against potential threats, Kaspersky recommends users update the affected Google Play apps to a version where the malicious code has been removed or delete them from Android devices.
It also advises users to download apps from official sources only and use a trustworthy security solution to safeguard the device from attempts to install malware.