Over 11 Million Android Devices Infected by Necro Malware Through Google Play Apps

A new variant of Necro malware, first detected in 2019, has been found infecting over 11 million Android devices through apps distributed on the Google Play Store.

The malware was identified by researchers at Kaspersky Lab, who discovered that it was spread via malicious advertising software development kits (SDKs) embedded in apps on Google Play, as well as through modified versions of popular games and applications available on unofficial app stores.

One of the compromised apps, Wuta Camera, was downloaded more than 10 million times from Google Play. Another app, Max Browser, had over 1 million downloads from Google’s official store. Both infected apps have since been removed by Google.

According to Kaspersky researchers, the malware was introduced through an ad SDK known as “Coral SDK,” which used obfuscation methods to conceal its malicious activities. For the second stage of infection, the malware employed image steganography via a “shellPlugin” disguised as a harmless image file.

Once installed on an Android device, the malware operates in the background, displaying ads in invisible windows, clicking on them, downloading executable files, installing third-party apps, and opening arbitrary links to execute JavaScript. It can also subscribe users to paid services without their knowledge and reroute internet traffic through infected devices, turning them into proxies.

Katie Teitler-Santullo, a cybersecurity strategist at OX Appsec Security, explained that while users cannot control the SDKs embedded in apps, developers can take precautions to ensure the SDKs they use are safe. “Developers should verify that the SDK is signed with a valid certificate and comes from a trusted source,” she told SiliconANGLE in an email.

Teitler-Santullo also advised that developers scan their source code for unauthorized access or malicious content, adding that “it’s best practice for AppSec teams to conduct various types of scans, including SAST, DAST, dependency, and vulnerability scans, both before deployment and during runtime.”