It has raised an alarm among Android users when malicious software was discovered on apps downloaded millions of times. Recently, a highly developed multi-stage malware loader, known as the Necro Trojan, was found in two very popular applications hosted on the Google Play Store, leaving millions of devices open to cyberattacks.
Necro Trojan: An Emerging Menace
Recently, Kaspersky, a well-known cybersecurity company, detected the presence of the Necro Trojan in two Android applications, namely Wuta Camera and Max Browser. Together, these applications reached downloads of more than 11 million copies from the Google Play Store-what had been one of the most extensive infections so far. The Wuta Camera application itself has over 10 million downloads, and the Max Browser application has more than 1 million downloads. Even if the infected versions are gone from the Play Store, the harm is already there.
Wuta Camera: A popular photo editing app with over 10 million downloads was infected. About the incident:.
First discovered in 2019, the Necro Trojan gained significant attention when it infected the CamScanner – Phone PDF Creator app, which has over 100 million downloads on Google Play. The Necro Trojan malware has made its way back in 2023 in its latest variant, spread through official apps on the Play Store and via modified variants of popular apps from unofficial sources.
CamScanner: This PDF creator application had more than 100 million downloads prior to becoming infected with the Necro Trojan back in 2019. Here’s more on CamScanner’s history.
How Necro Trojan Works
Once this Necro Trojan gets loaded onto a device, this becomes a multi-stage malware loader-a way for an attacker to gain control over infected devices. The malware can conduct a number of malicious activities such as:
- Displaying ads in invisible windows and clicking on them
- Downloading and installing third-party applications
- Sending and opening random links, running of JavaScript code via hidden WebView windows
- Signing users up for premium services sans users’ knowledge
- Routing internet traffic via victim’s device – proxying it, in essence
Unofficial Mods of Popular Apps Targeted
Beyond the two infected applications from the Google Play Store, the research unveiled that Kaspersky has tried to distribute modifications of popular applications and games, including Spotify, WhatsApp, and Minecraft, via unofficial sources with hidden Necro infections. These include popular mods for games like Stumble Guys, Car Parking Multiplayer, and Melon Sandbox-which further increases the scale of the threat.
But then came the modified version of Spotify, detected via an SDK that implemented several in-app advertising modules, one of which was found sending sensitive device and application information to a C2 server, which then downloaded a malicious payload masquerading as an image-the classic technique known to cybercriminals for bypassing detection.
In the meantime, the WhatsApp mod was infected, too, but this time, it used a completely different approach. It leveraged Google’s Firebase Remote Config service for C&C but eventually delivered the same kind of malware.
Modded Apps: Be wary of app unofficial mods, such as Spotify and WhatsApp, which have malware hidden inside.
Impact and Spread of the Necro Trojan
According to Kaspersky’s data, the Necro Trojan actively spread across several countries, with the most lively outbreaks observed in Russia, Brazil, Vietnam, Ecuador, and Mexico. Since August 26 up to September 15, this Trojan has attacked tens of thousands of users, infecting their devices and probably causing serious harm.
With such geographical spread, the Necro Trojan becomes a concern for Android users across the world-not just the users in those regions. The dependence on third-party apps and downloading of applications from unofficial sources increases the risk further.
Global Spread: How Necro Trojan is Affecting Users in Several Countries, this Says Volumes About Becoming More Cautious While Downloading Apps.
Google’s Response and Ongoing Efforts
As yet, there is no official word from Google on how the Necro Trojan managed to slip into its Play Store. This, however, is not the first time malicious apps have bypassed Google’s security checks; such incidents do raise a question or two about the search giant’s vetting process. Though the infected apps were removed, Google Play has struggled in the past to keep malware completely off its platform.
While Google continues to improve its Play Protect security features that are supposed to automatically scan for malware apps, incidents of this type show the need to get applications only from trusted sources and stay current with information about the potential dangers.
Google Play Protect: Google’s security feature for applications – not perfect. More on how Google scans for malware.
Protect your device: What you can do
The mere presence of the Necro Trojan on apps downloaded millions of times from the official Play Store was pretty disconcerting for any Android user. Here are some steps you can take to protect your device:
- Update your apps: Make sure your apps are updated. There are often patches released by developers for fixing security vulnerabilities.
- Avoid unofficial sources of apps: Use only the Play and other reputable stores; never download any modified versions of popular apps from unverified sources.
- Install reliable security software: It should be a trusted antivirus application that is able to detect malware and protect your device. Very good options are Kaspersky’s Mobile Security for Android users.
- Keep an eye on app permissions: On a regular basis, review the permissions that every app requests and remove those that may raise suspicion or appear not quite necessary.
Follow these tips, and falling prey to Trojans like Necro will be minimal, thus saving your personal information from falling into the hands of cybercriminals.
Final Thoughts
But the unmasking of the Necro Trojan in applications downloaded more than 11 million times from the Google Play Store serves to illustrate how malware targeting Android remains very much a here-and-now threat. With Google having removed the infected apps from its store, the onus now lies with the users to be situationally aware and proactive in terms of self-protection.
In view of more serious cyber threats, it will be very important to stay abreast of security issues, use protection software of good standing, and not download apps from unofficial sites and stores.
More News: Tech News
