A new version of the Necro malware has infiltrated over 11 million Android devices through apps available on Google Play, exploiting vulnerabilities in software development kits (SDKs) used by legitimate apps. This latest wave of attacks represents a serious threat to Android security, leveraging supply chain attacks to infect devices and deliver malicious payloads. The Necro Trojan, also known as the Necro malware loader, was distributed through legitimate apps on the Google Play Store by embedding itself in malicious SDKs. Once installed, it delivered a range of harmful plugins, allowing attackers to generate fraudulent revenue and further compromise devices.

 Malicious Payloads and Plugins

The infected devices received a variety of malicious plugins, including adware that runs hidden links through invisible WebView windows, and modules that download and execute arbitrary JavaScript and DEX files. These plugins were installed through SDKs such as the Island plugin, Cube SDK, Happy SDK, and Jar SDK. Some plugins also enabled subscription fraud and routed malicious traffic through infected devices using the NProxy plugin. By utilizing SDK-based malware, Necro infects Android devices without raising immediate suspicion. The malware operates in the background, displaying ads to generate fraudulent income for the attackers, and interacting with paid services using invisible WebViews.

 Infected Apps on Google Play

According to Kaspersky security researchers, Necro was found in two legitimate apps on Google Play: Wuta Camera and Max Browser. 

• Wuta Camera, a popular photo editing tool with over 10 million downloads, became a carrier of the Necro Trojan through its version 6.3.2.148. The malware persisted through various updates until version 6.3.6.148 when Kaspersky alerted Google about the issue. Although the infected code was removed in version 6.3.7.138, devices with older versions may still harbor malicious payloads. 
• The second app, Max Browser, had approximately 1 million downloads before being removed from Google Play. Kaspersky discovered that even in its latest version (1.2.0), the app still carries Necro malware. As a result, users are strongly advised to uninstall Max Browser immediately, as there is no clean version available.
• The Necro Trojan reached millions of devices through an advertising SDK named Coral SDK, which was used to distribute the malware covertly. The Coral SDK employed obfuscation techniques and image steganography to hide the second-stage payload, known as shellPlugin, within seemingly harmless PNG images.

 Google’s Response to the Malware Threat

Google was quick to respond once alerted to the threat. A spokesperson for the company confirmed that all known malicious versions of the infected apps were removed from Google Play before the Kaspersky report went public. Google Play Protect, which is automatically enabled on devices with Google Play Services, helps to shield users from known malware versions. Google Play Protect scans apps for suspicious behavior and can block or warn users if malware is detected, even if the app is sourced from outside the Play Store. While these measures help protect Android users, apps infected with the Necro Trojan remain a significant concern. Users who downloaded the affected versions of Wuta Camera or Max Browser are encouraged to check their devices for any lingering threats and remove the apps if necessary. Infected users should also monitor their devices for abnormal behavior, such as unexpected ads or unauthorized app installations.

 Necro’s Spread Beyond Google Play

Though the Google Play Store is the primary avenue through which Necro malware spread, the threat also exists in unofficial app repositories. Modified versions of popular apps, such as GBWhatsApp, FMWhatsApp, and Spotify Plus, were found to be infected with the Necro loader. These modified apps, which promise features like enhanced privacy and access to premium services, were distributed outside the Play Store, putting millions more devices at risk. Popular game mods, including Minecraft and Stumble Guys, have also been compromised. By distributing infected versions of popular games and apps through unofficial channels, attackers can easily target users who seek modifications not available in official versions. Since download numbers on these unofficial websites are unreliable, the total number of Necro infections may be significantly higher than the 11 million devices confirmed through Google Play.

 Protecting Your Device

• Given the widespread nature of this malware attack, users are urged to take precautionary measures:
• Uninstall any infected apps, such as Wuta Camera or Max Browser, from your device.
• Enable and ensure Google Play Protect is active, as it can help detect and prevent malicious behavior.
• Avoid downloading apps from unofficial sources, as they are more likely to contain malicious code like Necro.
• Regularly check for updates to ensure apps remain free of vulnerabilities and malware.

As Android malware threats continue to evolve, staying informed and vigilant is crucial to protecting your device. For now, the Necro malware highlights the risks posed by malicious SDKs and underscores the importance of relying on official app stores for downloading software.