In a concerning development for Android users worldwide, cybersecurity experts have uncovered the presence of the Necro Trojan in two popular applications on the Google Play Store. This malicious software, disguised within seemingly innocuous apps, has potentially affected over 11 million downloads, raising significant alarms in the cybersecurity community.
The Resurgence of Necro: A Sophisticated Threat
Researchers at Kaspersky Lab identified a new variant of the Necro Trojan in late August 2024. This version of the malware had already infiltrated two widely-used applications on Google Play and was spreading through alternative channels. The impact of this cyber threat has been particularly severe in Russia, Brazil, Vietnam, Ecuador, and Mexico.
Necro functions as a loader, capable of downloading and executing various malicious components based on commands received from its operators. This modular approach allows the Trojan to adapt and expand its capabilities, making it a versatile and dangerous threat.
Necro’s Arsenal: A Multi-Faceted Attack
The analyzed version of Necro demonstrates a range of malicious capabilities:
- Displaying and auto-clicking invisible advertisements
- Executing arbitrary JavaScript and DEX files
- Installing third-party applications without user consent
- Opening hidden WebView windows to run malicious JavaScript code
- Potentially subscribing users to paid services without their knowledge
Perhaps most alarmingly, Necro can transform infected devices into proxy bots, allowing attackers to route traffic through victims’ devices and potentially implicating innocent users in further malicious activities.
The Infection Vector: Compromised SDK
Investigators traced the infection source to a third-party advertising SDK named Coral. This SDK employed sophisticated obfuscation techniques to conceal its malicious nature and utilized steganography to download additional payloads disguised as harmless PNG images.
Google Play Store Infiltration
The malware successfully penetrated the Google Play Store through two applications: Wuta Camera and Max Browser. These apps collectively amassed over 11 million downloads before the threat was detected. Upon notification, Google removed the malicious loader from Wuta Camera in version 6.3.7.138 and completely delisted Max Browser from the store.
This incident serves as a stark reminder of the ongoing challenges in maintaining app store security. It underscores the importance of robust vetting processes and the need for users to remain vigilant, even when downloading apps from official sources. As cyber threats continue to evolve, both platform providers and users must adapt their security practices to stay one step ahead of malicious actors.
