The Necro Trojan is back on Google Play, infecting at least 11 million Android devices

The Necro Trojan is back on Google Play, infecting at least 11 million Android devices

mobile phones, 24.09.2024, 11:30 AM

The new version of the Necro malware for Android has been installed on 11 million devices via Google Play, the company warned Kaspersky. Necro is installed via adware development kits (SDKs) that use legitimate apps, mods for Android games, and modified versions of popular software, such as Spotify, WhatsApp, and Minecraft.

Kaspersky discovered the Necro malware in two applications on Google Play, both of which have a significant number of users.

The first is Wuta Camera, a photo editing and beautification app with more than ten million downloads on Google Play. Necro appeared in the app with the release of version 6.3.2.148, and remained in it until version 6.3.6.148, when Kaspersky notified Google about it. Although the Trojan was removed in version 6.3.7.138, anything that may have been installed via older versions may still be on Android devices.

The other legitimate app where Necro was discovered was Max Browser, which had a million downloads on Google Play until it was removed, following a report by Kaspersky. However, Kaspersky says that the latest version of Max Browser, 1.2.0, still contains Necro, so there is no clean version to upgrade, and users are advised to uninstall it immediately and switch to another browser.

Kaspersky says the two applications are infected with an SDK called “Coral SDK”.

Outside the Play Store, Necro spreads primarily through modified versions of popular apps (mods) distributed through unofficial websites, such as WhatsApp mods “GBWhatsApp” and “FMWhatsApp”, which promise better privacy controls and less restrictions on file sharing. Another is Spotify’s mod, “Spotify Plus”, which promises free access to premium services without ads. Kaspersky also mentions Minecraft mods and mods for other popular games such as Stumble Guys, Car Parking Multiplayer and Melon Sandbox, which are infected with the Necro loader.

In all cases, the issues were the same – showing ads in the background that attackers make money from, installing apps and APKs without user consent, and using invisible WebViews to interact with paid services.

Since unofficial Android app stores do not reliably report the number of downloads, the total number of infections with the new version of the Necro Trojan is unknown.

Photo: Pathum Danthanarayana | Unsplash

Source: www.informacija.rs