11 Million Devices Infected with Botnet Malware Hosted in Google Play: A Detailed Overview



Introduction

Google Play, the trusted app store for Android devices, has faced multiple security breaches over the years. One of the most alarming is the infiltration of malware through legitimate apps. Recently, a new wave of malware, known as Necro, has emerged, affecting over 11 million devices. This article delves into how Necro infiltrated Google Play, the techniques it uses, and the consequences of its spread.

The Re-Emergence of Necro: A Familiar Threat

What is Necro Malware?

Necro is a notorious malware family known for its stealth and modular nature. First identified in 2019, Necro has evolved to become more sophisticated, with its latest version now using advanced methods like steganography (a technique that hides malicious data within seemingly harmless files) to infect devices. This malware is particularly dangerous because it can spread through legitimate apps available in Google Play, making it harder to detect and avoid.

Necro’s Infiltration of Google Play in 2019

In 2019, researchers discovered that a seemingly legitimate Android app on Google Play had been secretly infected with malware. This malware was embedded through a Software Development Kit (SDK) used by developers to generate advertising revenue. Once integrated into the app, the SDK allowed attackers to control infected devices, enabling them to download and execute hidden payloads. This caused millions of devices to be connected to attacker-controlled servers.

Necro's Return in 2024

Fast forward to 2024, and Necro is back, infecting over 11 million devices. This time, researchers from the security firm Kaspersky found that two popular apps—Wuta Camera and Max Browser—had been compromised. The malware was distributed through a malicious SDK, once again using legitimate apps as a vehicle for infection.

How Necro Malware Infects Devices

The Role of Malicious SDKs

Software Development Kits (SDKs) are essential tools for app developers, offering ready-made solutions for common tasks like displaying ads or managing user interactions. Unfortunately, these SDKs can be exploited, as was the case with Necro. The malicious SDK embedded in apps like Wuta Camera and Max Browser allowed attackers to remotely control infected devices. Once installed, the apps would communicate with attacker-controlled servers, downloading malicious code that could be executed at any time.

Stealthy Techniques: Steganography and Obfuscation

Necro uses sophisticated techniques to remain undetected. One of the standout methods is steganography, where malicious data is hidden within seemingly benign images. This method is rarely seen in mobile malware but was used by Necro to download additional payloads from attacker-controlled servers. By embedding malicious code within PNG images, the malware could evade detection by antivirus software.

The SDK module also employed obfuscation techniques, such as the use of the OLLVM tool, to hide its true purpose. Obfuscation makes the code more difficult to analyze, further complicating efforts to detect and remove the malware.

Command-and-Control Communication

Once the device is infected, it establishes communication with a command-and-control server. This server sends encrypted instructions to the infected device, which can include downloading additional payloads or executing specific tasks. The malware uses encrypted JSON data to transmit information about the compromised device, making it challenging for security researchers to trace and analyze its behavior.

The Impact of Necro Malware on Infected Devices

Adware and Subscription Fraud

One of the most immediate effects of Necro is the display of unwanted ads through invisible WebView windows. These ads are shown in the background, generating fraudulent revenue for the attackers without the user’s knowledge. Additionally, Necro can facilitate subscription fraud, where users are unknowingly signed up for paid services, racking up charges on their accounts.

Elevated System Privileges

Necro is designed to operate with elevated system privileges, giving it significant control over the infected device. This includes the ability to download and execute arbitrary code, modify system files, and bypass security measures. By exploiting vulnerabilities in Android’s WebView component, Necro can run malicious code with enhanced privileges, further increasing its ability to cause harm.

Infected Devices as Proxies for Malicious Traffic

Another concerning feature of Necro is its ability to turn infected devices into proxies for routing malicious traffic. This makes it harder for law enforcement and cybersecurity experts to trace the origin of attacks, as the malicious activity appears to come from legitimate devices scattered around the world.

Which Apps Were Infected?

Wuta Camera

One of the apps identified as being infected with Necro was Wuta Camera, a popular photo editing app with over 10 million downloads. The malicious SDK was embedded in versions 6.3.2.148 through 6.3.6.148. Although the app has since been updated to remove the malware, any device that installed these versions remains at risk of infection.

Max Browser

Another app compromised by Necro was Max Browser, a web browsing app with over 1 million downloads. Unlike Wuta Camera, Max Browser was removed from Google Play following Kaspersky’s report. However, users who had already downloaded the app remain vulnerable, as no clean version is available for upgrade.

Necro Beyond Google Play

Infection via Modified Versions of Popular Apps

While Google Play remains a significant distribution channel for Necro, the malware has also spread through modified versions of popular apps. These “mods” are often found on unofficial app stores and websites, promising enhanced features like ad-free Spotify or modified versions of WhatsApp with extended privacy settings. In reality, these modified apps often come bundled with Necro malware, infecting unsuspecting users who download them.

High-Risk Apps Identified

Some of the high-risk apps identified by researchers include:

  • GBWhatsApp and FMWhatsApp: Modified versions of WhatsApp with extended file-sharing limits and enhanced privacy features.
  • Spotify Plus: A modified version of Spotify that promises free, ad-free premium access.
  • Minecraft Mods: Mods for popular games like Minecraft, Stumble Guys, and Car Parking Multiplayer that are infected with Necro.

These apps are often distributed through unofficial websites, making it difficult to track the full extent of the infections.

How to Protect Your Device from Necro

Uninstall Infected Apps

If you have downloaded Wuta Camera or Max Browser, the first step is to uninstall the app immediately. This will prevent further malicious activity and stop the malware from spreading to other apps or devices.

Run a Security Scan

Next, run a security scan using a reputable antivirus app. Many antivirus programs can detect and remove Necro and its associated payloads, helping to clean your device of any lingering malware.

Enable Google Play Protect

Google Play Protect is a built-in security feature that scans apps for malware before they are installed. Make sure this feature is enabled to help prevent future infections. If you have disabled it for any reason, now is the time to turn it back on.

Be Wary of Third-Party App Stores

Avoid downloading apps from third-party app stores or unofficial websites. These sources are not subject to the same security standards as Google Play, making them more likely to distribute malware-infected apps.

Conclusion

The re-emergence of Necro malware highlights the growing sophistication of mobile malware threats. With 11 million devices infected through Google Play, it’s clear that even trusted platforms are not immune to malware attacks. By understanding how Necro operates and taking steps to protect your device, you can reduce your risk of falling victim to this dangerous malware.

FAQs

1. What is Necro malware?

Necro is a family of malware that targets Android devices. It spreads through legitimate apps, infecting devices by embedding malicious code into the app’s SDK.

2. How does Necro infect devices?

Necro infects devices through legitimate apps, primarily using malicious SDKs. It can also spread through modified versions of popular apps available on unofficial app stores.

3. What should I do if I think my device is infected?

If you suspect your device is infected, uninstall any apps you believe may be compromised, run a security scan using a reputable antivirus program, and ensure that Google Play Protect is enabled.

4. How does Necro use steganography?

Necro uses steganography to hide malicious code within images. This makes it more difficult for antivirus programs to detect the malware, as it appears to be part of a harmless image file.

5. Are apps on Google Play safe?

While Google Play is generally considered safe, it’s not immune to malware. Always check app reviews and permissions, and enable Google Play Protect to add an extra layer of security.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Posted in News on Sep 24, 2024



Automated Backup to GoogleDrive - CyberPanel - HostingbyAliTech

Posted in About Hosting by AliTech, Technical Solutions on Jul 18, 2021

Automated Backup to GoogleDrive - CyberPanel All the Hosting by AliTech customers have access to GoogleDrive Backups, here is what you need..



Why Telegram CEO Pavel Durov Was Arrested in Paris: The Full Story

Posted in News on Aug 27, 2024

In the fast-evolving world of digital communication, Pavel Durov stands out as a relentless advocate for user privacy. As the founder of VKontakte and Telegram, Durov has consistently prioritized encryption and user control over data. This commitment has made him a controversial figure, especially in the eyes of governments that demand access to user information. The ongoing tension between privacy and security is embodied in Durov's journey, raising critical questions about the future of free speech and the ethical responsibilities of tech companies. What happens when the defender of digital privacy himself becomes a target?



Does your hosting provider has this performance?

Posted in News on Sep 12, 2020

Does your hosting provider has this performance? If no... you need to move now 🙂 https://hosting.alitech.uk



New XEC Covid Variant Spreads To 27 Countries: Here's What We Know So Far

Posted in News on Sep 18, 2024

The new Covid-19 variant, XEC, has been making waves since its initial discovery in Germany this June. A hybrid of the omicron subvariants KS.1.1 and KP.3.3, XEC has now been detected in 27 countries, with around 500 samples identified worldwide. This variant has shown a marked increase in transmissibility, leading scientists to monitor its spread closely. While symptoms of XEC resemble those of earlier variants—such as fever, sore throat, and body aches—existing vaccines are expected to provide strong protection against severe illness. With XEC potentially becoming the dominant strain this winter, staying updated with vaccinations and maintaining good hygiene practices are crucial for staying protected.



Gmail Users at Risk from AI-Powered Cyberattacks

Posted in News on Oct 14, 2024

In a rapidly evolving digital landscape, Gmail users are facing a new and alarming threat: AI-powered cyberattacks. These sophisticated scams leverage advanced technology to create realistic impersonations of Google support calls, tricking unsuspecting individuals into revealing personal information. This blog delves into the details of these AI-driven scams, sharing real-life accounts of victims and expert insights on how these tactics work. Through engaging narratives and practical advice, the blog aims to raise awareness about the importance of cybersecurity in the age of AI. Readers will learn how to identify suspicious communications, the significance of enabling robust security features, and essential steps to protect their accounts from phishing attempts. As cybercriminals continue to refine their techniques, staying informed and vigilant is more crucial than ever.



How to Install Remote Desktop on Ubuntu 18.04.6 / Ubuntu 20.04.4 / Raspberry Pi / AMD64 / ARM64

Posted in Technical Solutions on Jun 29, 2022

How to Install Remote Desktop on Ubuntu 18.04.6 / Ubuntu 20.04.4 / Raspberry Pi / AMD64 / ARM64



Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024

The recent Samsung update has caused severe problems for many Galaxy S10 and Note 10 owners, leaving their devices bricked and forcing users to seek urgent solutions. The update, designed to improve functionality, has instead resulted in a widespread issue that has thrown affected phones into an endless boot loop. Fortunately, Samsung was quick to respond with a fix, but users are still grappling with the impact.



[SOLVED / FIXED] Django attempt to write a readonly database OpenLiteSpeed & CyberPanel

Posted in Technical Solutions on Jun 12, 2021

[SOLVED] Django attempt to write a readonly database OpenLiteSpeed & CyberPanel



Get 12 Months of AWS Wordpress Hosting for Free

Posted in Hosting Promotions, News, Technical Solutions on Sep 08, 2022

Introduction to AWS Free Tier AWS Free Tier includes many free services which are always free and many services which are offered free for 12 months plan.



Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024

The Blessed Friday Sale 2024 in Pakistan offers incredible discounts across various categories, including clothing, electronics, footwear, and accessories. Renowned brands like Gul Ahmed, Nishat Linen, Engine, and Stylo are providing flat discounts ranging from 25% to 80%. Tech enthusiasts can explore exciting deals on gadgets from Audionic, Samsung, and Dany Tech, while fashion lovers can shop trendy collections at Breakout, Cougar Clothing, and Cambridge. With options for men, women, and kids, this shopping event is perfect for upgrading your wardrobe or grabbing tech essentials. Don't miss out—shop these amazing offers from top brands online or in stores!



Human Impact Causes 31.5-Inch Shift in Earth’s Axis: A Wake-Up Call for Groundwater Sustainability

Posted in News on Nov 25, 2024

Recent research reveals that the Earth's axis has shifted by 31.5 inches due to human activities, specifically the massive extraction of groundwater. Since 1993, this shift has been attributed to the redistribution of water from underground aquifers to the oceans. This change has not only altered the Earth's rotational axis but also contributes to rising sea levels and may even affect timekeeping systems. The study, published in Geophysical Research Letters, underscores the need for sustainable water management practices to mitigate the long-term climatic and environmental impacts.



WhatsApp Beta Users Face Green Screen Issue: Here’s How to Solve the Problem

Posted in Technical Solutions on Nov 11, 2024

WhatsApp beta users on Android are currently facing a frustrating green screen issue that makes their devices unresponsive when trying to open a chat. This bug is specifically affecting those on beta version 2.24.24.5, causing the screen to turn solid green and preventing access to messages. Fortunately, there are several solutions to this problem, from force-closing the app to switching back to the stable version. Discover how you can resolve this issue and get your WhatsApp back to normal.



AI-powered Web Hosting and Its Benefits

Posted in Uncategorized on Jul 10, 2024

AI-powered web hosting leverages artificial intelligence technologies to manage, optimize, and enhance traditional web hosting experiences. It offers unparalleled benefits such as enhanced performance and speed, improved security measures, efficient resource management, and intelligent traffic analysis. This type of hosting integrates AI to predict traffic patterns, dynamically allocate resources, and ensure superior website performance. Businesses adopting AI-powered web hosting can expect faster load times, automated threat detection, and scalable solutions that cater to growing needs. As AI technology continues to evolve, the future of web hosting looks promising, offering even more sophisticated and efficient solutions.



Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

At HostingbyAliTech, you get low cost web hosting services with the power of Cloud. CyberPanel and LiteSpeed provide customers the best experience and optimized site performances. Along with best prices, you get most optimized performance. AliTech is serving since 2020 and it is a first choice of the clients who are after quality and speedy web hosting..



California Governor Vetoes Major AI Safety Bill: What It Means for AI Regulation

Posted in News on Sep 30, 2024

California Governor Gavin Newsom has vetoed SB 1047, a major AI safety bill aimed at regulating advanced AI systems. The bill would have mandated safety measures like testing and a “kill switch” for high-risk AI models. Newsom argued that the legislation could hinder innovation and impose excessive regulations on AI companies. Tech giants such as Google and OpenAI supported the veto, fearing it would slow AI development. The decision has reignited the debate on finding the right balance between innovation and public safety in the rapidly evolving field of artificial intelligence.



The Future of AI and Cloud Computing: A Global Perspective

Posted on Oct 03, 2024

Cloud computing and artificial intelligence (AI) are transforming the technological landscape at an unprecedented pace. These two forces have become vital for businesses aiming to scale, innovate, and stay competitive in a digital-first world. As major corporations like Microsoft, Google, and Oracle make significant investments in cloud infrastructure and AI capabilities, it's clear that these technologies will shape the future of industries worldwide. In this article, we'll dive deep into the latest developments in AI and cloud computing, with a focus on global investments, emerging technologies, and the impact on businesses across different regions.



Litespeed performance comparison

Posted in News on Sep 08, 2022

Our server supports Lite Speed webserver: With the power of LiteSpeed server your websites will have outclass performance see the difference. The benchmark shows the difference of Magneto performance on LiteSpeed server, Nginx & Apache.



Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024

On December 26, 2024, Japan Airlines fell victim to a cyberattack that caused significant disruptions to its operations. The attack, which targeted network equipment, led to delays in domestic and international flights, affecting thousands of passengers. Despite the challenges, JAL swiftly acted to identify and contain the attack, preventing major cancellations. The incident highlights the growing threat of cyberattacks on critical infrastructure and the importance of robust cybersecurity measures to prevent future disruptions.




Other Blogs


Why Telegram CEO Pavel Durov Was Arrested in Paris: The Full Story

Posted in News on Aug 27, 2024 and updated on Aug 27, 2024

Does your hosting provider has this performance?

Posted in News on Sep 12, 2020 and updated on Oct 23, 2020

New XEC Covid Variant Spreads To 27 Countries: Here's What We Know So Far

Posted in News on Sep 18, 2024 and updated on Sep 18, 2024

Gmail Users at Risk from AI-Powered Cyberattacks

Posted in News on Oct 14, 2024 and updated on Oct 14, 2024

Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024 and updated on Oct 04, 2024

Get 12 Months of AWS Wordpress Hosting for Free

Posted in Hosting Promotions, News, Technical Solutions on Sep 08, 2022 and updated on Sep 07, 2022

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024 and updated on Nov 22, 2024

AI-powered Web Hosting and Its Benefits

Posted in Uncategorized on Jul 10, 2024 and updated on Jul 10, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022 and updated on Nov 27, 2023

California Governor Vetoes Major AI Safety Bill: What It Means for AI Regulation

Posted in News on Sep 30, 2024 and updated on Sep 30, 2024

The Future of AI and Cloud Computing: A Global Perspective

Posted on Oct 03, 2024 and updated on Oct 03, 2024

Litespeed performance comparison

Posted in News on Sep 08, 2022 and updated on Sep 07, 2022

Japan Airlines Delays Flights After Cyberattack

Posted in News on Dec 26, 2024 and updated on Dec 26, 2024

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

Litespeed performance comparison

Posted in News on Sep 08, 2022

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

Litespeed performance comparison

Posted in News on Sep 08, 2022







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons