Two applications with a combined download count of roughly 11 million in the official Google Play application store were found infected with the Necro trojan, according to a report from anti-malware vendor Kaspersky.
A multi-stage loader, Necro was initially discovered in 2019, after it had infected the CamScanner – Phone PDF creator app with more than 100 million downloads in Google Play.
The new variant of the malware making the rounds now is distributed through both applications in Google Play and modified versions of popular applications and games available via unofficial sources.
One of these apps, Wuta Camera, has been downloaded more than 10 million times, according to Google Play telemetry. Another app, Max Browser, has over 1 million downloads from the official app store. The infected versions of both applications have since been removed from Google Play, Kaspersky said.
According to Kaspersky documentation, the malware has found hidden unofficial mods for Spotify, WhatsApp, and popular games such as Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
The company said Necro’s presence in applications distributed via diverse sources can be explained by the use of an untrusted solution for ad integration by the applications’ developers.
The Spotify infected mod contained an SDK intended for integrating several advertising modules, including one that was caught sending device and application information to a command-and-control (C&C) server and receiving a payload hidden in an image.
The loader injected within the WhatsApp mod, however, was different, using Google’s Firebase Remote Config cloud service for C&C, but eventually leading to the execution of the same payload.
In both cases, the victim devices were infected with a trojan containing numerous characteristics associated with the Necro family, including similar code and functionality, similar payload structure, and the use of a known Necro C&C server.
“The variant of Necro discovered by Kaspersky experts can download modules onto infected smartphones that display ads in invisible windows and click on them, download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” Kaspersky added.
Additionally, the malware can subscribe users to paid services, while the modules can redirect internet traffic through victim devices, using them as proxies.
According to Kaspersky, between August 26 and September 15, the trojan was seen targeting tens of thousands of users in Russia, Brazil, Vietnam, Ecuador, and Mexico.
SecurityWeek has emailed Google for a statement on Necro slipping into Google Play and will update this article as soon as a reply arrives.
Related: 1.3 Million Android TV Boxes Infected by Vo1d Malware
Related: Meta Warns of Password Stealing Phone Apps
Related: 21 Malicious Apps Downloaded 8 Million Times From Google Play