The Necro malware [1] [2] [3] [4], discovered by researchers from Kaspersky, has infected over 11 million Android users worldwide [1].
Description
It is hidden within a malicious software developer kit (SDK) used for advertising integration [4], allowing for stealthy communication with attacker-controlled servers [4]. Necro utilizes obfuscation techniques like steganography to hide its malicious payload [2], with some variants able to run malicious code with heightened system rights [4]. The malware communicates with a command-and-control server [4], sending encrypted JSON data about compromised devices [4]. Follow-on payloads can download malicious plugins for various actions [4], including running code with elevated system rights [4]. Popular apps like Spotify [1] [2] [3], WhatsApp [1] [2] [3], and Minecraft have been found to contain the malware, with Wuta Camera and Max Browser also affected [1] [3] [4]. The latter app is no longer available for download [2]. Necro is believed to have been introduced through a rogue advertising SDK and can be found in mods for apps like WhatsApp and Minecraft distributed through unofficial sources. Kaspersky has blocked over ten thousand Necro attacks globally [2], with countries like Russia, Brazil [2], Vietnam [2], and others being the most targeted [2]. The modular architecture of Necro allows its creators to deliver loader updates and new malicious modules [2], making it highly adaptable and capable of introducing new features [2]. To protect against Necro [1], users are advised to avoid downloading apps from unofficial sources and to be cautious even with apps from official platforms like Google Play [1]. Users can use Kaspersky for Android to detect Necro and similar malware, and should check app reviews for potential warnings about malware [1]. Users concerned about infection should check for indicators of compromise [4]. Necro has been distributed through malicious advertising SDKs used by popular apps like Spotify and WhatsApp [3], installing various payloads such as adware, subscription fraud tools [3], and proxy mechanisms to generate ad revenue and interact with paid services [3]. Kaspersky discovered Necro in the Wuta Camera and Max Browser apps on Google Play [3], prompting their removal [3]. The Trojan is also spread through modified versions of popular apps outside of Google Play [3].
Conclusion
The impact of Necro malware on Android users worldwide is significant, with millions affected by its malicious activities. To mitigate the risks associated with Necro, users are advised to exercise caution when downloading apps and to use security software like Kaspersky for Android. The evolving nature of Necro, with its ability to introduce new features and modules, poses a challenge for cybersecurity experts in combating this threat. As such, ongoing vigilance and proactive measures are essential to protect against the spread of Necro and similar malware in the future.
References
[1] https://www.kaspersky.com/blog/necro-infects-android-users/52201/
[2] https://thehackernews.com/2024/09/necro-android-malware-found-in-popular.html
[3] https://www.noypigeeks.com/tech-news/necro-malware-android-devices-google-play-store/
[4] https://arstechnica.com/security/2024/09/11-million-devices-infected-with-botnet-malware-hosted-in-google-play/
