Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Necro Trojan Infects Google Play Apps With Millions of Downloads

The Necro trojan was found in two Android applications in Google Play with a combined downloads count of over 11 million.

Two applications with a combined download count of roughly 11 million in the official Google Play application store were found infected with the Necro trojan, according to a report from anti-malware vendor Kaspersky.

A multi-stage loader, Necro was initially discovered in 2019, after it had infected the CamScanner – Phone PDF creator app with more than 100 million downloads in Google Play.

The new variant of the malware making the rounds now is distributed through both applications in Google Play and modified versions of popular applications and games available via unofficial sources.

One of these apps, Wuta Camera, has been downloaded more than 10 million times, according to Google Play telemetry. Another app, Max Browser, has over 1 million downloads from the official app store. The infected versions of both applications have since been removed from Google Play, Kaspersky said.

According to Kaspersky documentation, the malware has found hidden unofficial mods for Spotify, WhatsApp, and popular games such as Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.

The company said Necro’s presence in applications distributed via diverse sources can be explained by the use of an untrusted solution for ad integration by the applications’ developers.

The Spotify infected mod contained an SDK intended for integrating several advertising modules, including one that was caught sending device and application information to a command-and-control (C&C) server and receiving a payload hidden in an image.

The loader injected within the WhatsApp mod, however, was different, using Google’s Firebase Remote Config cloud service for C&C, but eventually leading to the execution of the same payload.

Advertisement. Scroll to continue reading.

In both cases, the victim devices were infected with a trojan containing numerous characteristics associated with the Necro family, including similar code and functionality, similar payload structure, and the use of a known Necro C&C server.

“The variant of Necro discovered by Kaspersky experts can download modules onto infected smartphones that display ads in invisible windows and click on them, download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” Kaspersky added.

Additionally, the malware can subscribe users to paid services, while the modules can redirect internet traffic through victim devices, using them as proxies.

According to Kaspersky, between August 26 and September 15, the trojan was seen targeting tens of thousands of users in Russia, Brazil, Vietnam, Ecuador, and Mexico.

SecurityWeek has emailed Google for a statement on Necro slipping into Google Play and will update this article as soon as a reply arrives.

Related: 1.3 Million Android TV Boxes Infected by Vo1d Malware

Related: Meta Warns of Password Stealing Phone Apps

Related: 21 Malicious Apps Downloaded 8 Million Times From Google Play

Related: Clipper Malware Slips Into Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.