A new version of the Necro malware has reportedly affected over 11 million Android users through supply chain attacks, malicious SDKs, and modded versions of apps and games, according to a report by Securelist. The Necro loader, recently discovered by Kaspersky, has been detected in legitimate apps, game mods, and modded versions of popular applications like Minecraft, Spotify, and WhatsApp.
How Necro Trojan Spreads
Necro malware spreads through both official and unofficial app stores. On Google Play, the trojan was found embedded in two apps—Wuta Camera by ‘Benqu’ and Max Browser by ‘WA message recover-wamr.’ These apps collectively garnered over a million downloads. While the malware has been removed from Wuta Camera in a new version, Kaspersky’s report suggests that the latest version of Max Browser still carries the trojan.
Outside Google Play, Necro primarily spreads through modded versions of apps and games. These unofficial versions, claiming to offer additional features not available in the official releases, are popular among users seeking enhanced functionalities. Some notable examples include Spotify Plus, GBWhatsApp, and FBWhatsApp, as well as modded games like Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. These modded apps are typically available via third-party websites and app stores, making it difficult to track the number of infected users, potentially raising the affected count beyond 11 million.
Necro's Malicious Activities
Once the Necro trojan is installed on a device, it activates various payloads and harmful plugins that carry out a range of malicious activities. These include running adware in invisible windows, executing scripts that fraudulently activate subscriptions, and installing programs that route internet traffic through specific channels. These activities allow attackers to generate illicit profits by opening and clicking on advertisements in the background, unbeknownst to the user.
Specifically, in the case of Wuta Camera and Max Browser, Necro generated money for its operators by automating ad-clicking processes, enabling attackers to profit from fraudulent ad interactions.
Google's Response
Google acknowledged the presence of Necro in apps from the Play Store and revealed that over 11 million users had been affected. In a statement to Bleeping Computer, a Google spokesperson confirmed that all identified malicious apps had been removed from the Play Store before the publication of the Kaspersky report. However, due to the prevalence of third-party app stores and modded versions, the total number of infected devices is likely much higher.
Risks to Users
The Necro malware poses significant risks to users by compromising device security, installing adware, and leading to potential data breaches or financial losses due to fraudulent subscriptions. Users are advised to avoid downloading apps from unofficial sources and to regularly update their devices to reduce exposure to such threats.