11 Million Android Devices Infected with "Malicious Bots"... Test Your Phone or is it too Late? Necro!!!!! Really!
Researchers have reported finding two new apps that have been downloaded from Google Play 11 million times, infected with the same malware family.
Kaspersky researchers believe that the malware development kit for integrating advertising capabilities is once again to blame.
Software development kits, known as SDKs, are applications that provide developers with frameworks that can significantly speed up the app creation process by simplifying repetitive tasks. When misused, the seemingly untrustworthy SDK can support ad serving.
But behind the scenes, it offers a range of advanced methods for surreptitiously communicating with malicious servers, uploading user data, downloading malicious code, and updating it at any time.
The Necro Maleware
The stealthy malware family in both of these is known as Necro. But this time, some variants use techniques like cloaking, an obfuscation method rarely seen in similar malware.
Once infected, devices connect to a command-and-control server controlled by the attacker, sending web requests containing encrypted data that provides information about each compromised device.
The researchers explained that the malicious SDK uses a very simple, but very effective, stealth software. The malware also downloads subsequent payloads that are installed, which in turn download malicious plugins that can be mixed and matched on each infected device individually, to perform a variety of different actions.
ON Google Play, REALLY?
The researchers found Necro malware in two apps on Google Play. One of these apps was Wuta Camera, an app that has been downloaded 10 million times to date.
Versions of Wuta Camera contain a malicious SDK that infects the apps. This app has been updated to remove the malicious component. A separate app that has been downloaded about a million times, known as Max Browser, was also infected, and is no longer available on Google Play.
The malware performs a range of malicious activities, including displaying hidden ads, downloading files without user consent, and using infected devices as proxies for malicious traffic.
In addition to Google Play, Necro also spreads through modified versions of popular apps like Spotify and WhatsApp, distributed via third-party websites.
The researchers also found that Necro infects a variety of Android apps available on alternative markets. In most cases, these apps promote themselves as modified versions of legitimate apps like WhatsApp and others.
The researchers stressed that people who are concerned about the possibility of being infected with Necro should check their apps, and rely on reliable anti-malware apps to protect their devices.
