Ethical Hacking News
Necro malware has been found on several popular Android apps, including Wuta Camera and Max Browser, leaving thousands of users vulnerable to cyber threats. With its ability to deliver intrusive ads and steal money through fake subscription payments, this malware campaign is a stark reminder of the need for vigilance when downloading mobile apps from unverified sources.
Over 11 million Android devices are thought to be exposed to Necro malware-infected apps. A malicious app, Wuta Camera, was downloaded over 10 million times and had a developer claiming it had been downloaded up to 200 million times. Google removed the Necro code from an infected app, Max Browser, after discovering it. Malicious mods targeting popular apps like Spotify, WhatsApp, Minecraft, and Stumble Guys were common. The use of Necro malware highlights the need for Android users to be cautious when downloading apps from unverified sources.
The threat landscape of mobile devices, particularly those running on the popular Android operating system, has been a hotspot for malicious activities. In recent years, Android users have been exposed to various types of malware, including side-loaded spoofed apps and so-called mods that promised enhanced features but ultimately delivered malware infections. One particular piece of malware, known as Necro, has continued to pose a threat to Android users, with up to 11 million devices thought to be exposed to infected apps.
Kaspersky originally uncovered a Necro campaign in 2019, exposing an estimated 100 million devices to the Necro dropper, the main task of which is to install other types of malware onto infected devices. The researchers highlighted that this was not an isolated incident and that similar cases of Android malware were common. In many instances, popular apps were either spoofed or mods were advertised that eventually led to malware infections. Most commonly these were side-loaded onto Android devices, but some of these apps were also made for the Play Store.
The case of Wuta Camera, a selfie retouching app developed by Shanghai Benqumark Network Technology, is a prime example of how Necro malware was used to infect Android devices. According to its Google Play page, which was still up and supporting downloads, the app had been downloaded more than 10 million times. The developer claimed it had actually been downloaded closer to 200 million times in the Play Store description, although this figure may be exaggerated or unverified.
Another instance of Necro malware was observed in Max Browser, a privacy-focused browser for Android that had been downloaded over 1 million times according to the Play Store's metrics. Google addressed the issues in both Wuta Camera and Max Browser, forcing the former to remove the Necro code in an app update, while the latter was taken off the Play Store entirely.
The use of Necro malware highlights a broader problem with mobile apps on Android devices. Modifications for popular apps like Spotify were rife, some being useful while others not. One highlighted by Kaspersky developer Dmitry Kalinin claimed to offer premium features for free, something that should always set off alarm bells. Similarly, WhatsApp was another target for malicious mods, which is unsurprising given the global popularity of the messaging app.
Malicious modders also targeted apps commonly used by children, such as Minecraft and Stumble Guys games. Such users were less likely to be aware of the threats unverified mods presented – even this reporter had been partial to dodgy COD4 mods in the past – but they lacked the technical know-how to download and install them.
However, it's not an ideal combination when it comes to security concerns. It also doesn't help that there were legitimate, safe, and useful mods available for apps, making it more difficult to discern which were trustworthy. Kaspersky's analysis of the trojan revealed an identical payload configuration structure and payloads consistent with previous versions of the Necro trojan and Necro family of malware.
The primary payloads downloaded to victims' devices were largely unchanged, focusing mainly on delivering intrusive ads and stealing money by charging accounts with fake subscription payments. While this was not an ideal scenario, Necro exhibited a rare technique for mobile malware – using steganography to conceal a payload in the code of a PNG image.
In light of these findings, it's essential for Android users to be cautious when downloading apps from unverified sources. Basic precautions, such as verifying app reviews and ensuring that the developer's reputation is good, can go a long way in avoiding malware infections.
The Google Play Store has come under scrutiny in relation to its handling of malware-infected apps. While it was not possible to contact Google for comment within the given timeframe, their role in maintaining app quality remains crucial.
In conclusion, Necro malware continues to pose a threat to Android users, with many devices thought to be exposed to infected apps. The incident highlights the importance of vigilance and caution when downloading mobile apps from unverified sources.
Related Information:
https://go.theregister.com/feed/www.theregister.com/2024/09/23/necro_malware_android/
https://www.msn.com/en-us/money/other/necro-malware-continues-to-haunt-side-loaders-of-dodgy-android-mods/ar-AA1r4Cmw
https://www.securityweek.com/necro-trojan-infects-google-play-apps-with-millions-of-downloads/
https://thehackernews.com/2024/09/necro-android-malware-found-in-popular.html
https://arstechnica.com/security/2024/09/11-million-devices-infected-with-botnet-malware-hosted-in-google-play/
https://www.kaspersky.com/about/press-releases/kaspersky-identifies-new-apt-group-targeting-russian-government-entities
https://usa.kaspersky.com/about/press-releases/kaspersky-uncovers-new-toddycat-apt-group-cyber-espionage-tools
https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/
Published: Thu Sep 26 02:50:54 2024 by llama3.2 3B Q4_K_M
