11 Million Devices Infected with Botnet Malware Hosted in Google Play: A Detailed Overview



Introduction

Google Play, the trusted app store for Android devices, has faced multiple security breaches over the years. One of the most alarming is the infiltration of malware through legitimate apps. Recently, a new wave of malware, known as Necro, has emerged, affecting over 11 million devices. This article delves into how Necro infiltrated Google Play, the techniques it uses, and the consequences of its spread.

The Re-Emergence of Necro: A Familiar Threat

What is Necro Malware?

Necro is a notorious malware family known for its stealth and modular nature. First identified in 2019, Necro has evolved to become more sophisticated, with its latest version now using advanced methods like steganography (a technique that hides malicious data within seemingly harmless files) to infect devices. This malware is particularly dangerous because it can spread through legitimate apps available in Google Play, making it harder to detect and avoid.

Necro’s Infiltration of Google Play in 2019

In 2019, researchers discovered that a seemingly legitimate Android app on Google Play had been secretly infected with malware. This malware was embedded through a Software Development Kit (SDK) used by developers to generate advertising revenue. Once integrated into the app, the SDK allowed attackers to control infected devices, enabling them to download and execute hidden payloads. This caused millions of devices to be connected to attacker-controlled servers.

Necro's Return in 2024

Fast forward to 2024, and Necro is back, infecting over 11 million devices. This time, researchers from the security firm Kaspersky found that two popular apps—Wuta Camera and Max Browser—had been compromised. The malware was distributed through a malicious SDK, once again using legitimate apps as a vehicle for infection.

How Necro Malware Infects Devices

The Role of Malicious SDKs

Software Development Kits (SDKs) are essential tools for app developers, offering ready-made solutions for common tasks like displaying ads or managing user interactions. Unfortunately, these SDKs can be exploited, as was the case with Necro. The malicious SDK embedded in apps like Wuta Camera and Max Browser allowed attackers to remotely control infected devices. Once installed, the apps would communicate with attacker-controlled servers, downloading malicious code that could be executed at any time.

Stealthy Techniques: Steganography and Obfuscation

Necro uses sophisticated techniques to remain undetected. One of the standout methods is steganography, where malicious data is hidden within seemingly benign images. This method is rarely seen in mobile malware but was used by Necro to download additional payloads from attacker-controlled servers. By embedding malicious code within PNG images, the malware could evade detection by antivirus software.

The SDK module also employed obfuscation techniques, such as the use of the OLLVM tool, to hide its true purpose. Obfuscation makes the code more difficult to analyze, further complicating efforts to detect and remove the malware.

Command-and-Control Communication

Once the device is infected, it establishes communication with a command-and-control server. This server sends encrypted instructions to the infected device, which can include downloading additional payloads or executing specific tasks. The malware uses encrypted JSON data to transmit information about the compromised device, making it challenging for security researchers to trace and analyze its behavior.

The Impact of Necro Malware on Infected Devices

Adware and Subscription Fraud

One of the most immediate effects of Necro is the display of unwanted ads through invisible WebView windows. These ads are shown in the background, generating fraudulent revenue for the attackers without the user’s knowledge. Additionally, Necro can facilitate subscription fraud, where users are unknowingly signed up for paid services, racking up charges on their accounts.

Elevated System Privileges

Necro is designed to operate with elevated system privileges, giving it significant control over the infected device. This includes the ability to download and execute arbitrary code, modify system files, and bypass security measures. By exploiting vulnerabilities in Android’s WebView component, Necro can run malicious code with enhanced privileges, further increasing its ability to cause harm.

Infected Devices as Proxies for Malicious Traffic

Another concerning feature of Necro is its ability to turn infected devices into proxies for routing malicious traffic. This makes it harder for law enforcement and cybersecurity experts to trace the origin of attacks, as the malicious activity appears to come from legitimate devices scattered around the world.

Which Apps Were Infected?

Wuta Camera

One of the apps identified as being infected with Necro was Wuta Camera, a popular photo editing app with over 10 million downloads. The malicious SDK was embedded in versions 6.3.2.148 through 6.3.6.148. Although the app has since been updated to remove the malware, any device that installed these versions remains at risk of infection.

Max Browser

Another app compromised by Necro was Max Browser, a web browsing app with over 1 million downloads. Unlike Wuta Camera, Max Browser was removed from Google Play following Kaspersky’s report. However, users who had already downloaded the app remain vulnerable, as no clean version is available for upgrade.

Necro Beyond Google Play

Infection via Modified Versions of Popular Apps

While Google Play remains a significant distribution channel for Necro, the malware has also spread through modified versions of popular apps. These “mods” are often found on unofficial app stores and websites, promising enhanced features like ad-free Spotify or modified versions of WhatsApp with extended privacy settings. In reality, these modified apps often come bundled with Necro malware, infecting unsuspecting users who download them.

High-Risk Apps Identified

Some of the high-risk apps identified by researchers include:

  • GBWhatsApp and FMWhatsApp: Modified versions of WhatsApp with extended file-sharing limits and enhanced privacy features.
  • Spotify Plus: A modified version of Spotify that promises free, ad-free premium access.
  • Minecraft Mods: Mods for popular games like Minecraft, Stumble Guys, and Car Parking Multiplayer that are infected with Necro.

These apps are often distributed through unofficial websites, making it difficult to track the full extent of the infections.

How to Protect Your Device from Necro

Uninstall Infected Apps

If you have downloaded Wuta Camera or Max Browser, the first step is to uninstall the app immediately. This will prevent further malicious activity and stop the malware from spreading to other apps or devices.

Run a Security Scan

Next, run a security scan using a reputable antivirus app. Many antivirus programs can detect and remove Necro and its associated payloads, helping to clean your device of any lingering malware.

Enable Google Play Protect

Google Play Protect is a built-in security feature that scans apps for malware before they are installed. Make sure this feature is enabled to help prevent future infections. If you have disabled it for any reason, now is the time to turn it back on.

Be Wary of Third-Party App Stores

Avoid downloading apps from third-party app stores or unofficial websites. These sources are not subject to the same security standards as Google Play, making them more likely to distribute malware-infected apps.

Conclusion

The re-emergence of Necro malware highlights the growing sophistication of mobile malware threats. With 11 million devices infected through Google Play, it’s clear that even trusted platforms are not immune to malware attacks. By understanding how Necro operates and taking steps to protect your device, you can reduce your risk of falling victim to this dangerous malware.

FAQs

1. What is Necro malware?

Necro is a family of malware that targets Android devices. It spreads through legitimate apps, infecting devices by embedding malicious code into the app’s SDK.

2. How does Necro infect devices?

Necro infects devices through legitimate apps, primarily using malicious SDKs. It can also spread through modified versions of popular apps available on unofficial app stores.

3. What should I do if I think my device is infected?

If you suspect your device is infected, uninstall any apps you believe may be compromised, run a security scan using a reputable antivirus program, and ensure that Google Play Protect is enabled.

4. How does Necro use steganography?

Necro uses steganography to hide malicious code within images. This makes it more difficult for antivirus programs to detect the malware, as it appears to be part of a harmless image file.

5. Are apps on Google Play safe?

While Google Play is generally considered safe, it’s not immune to malware. Always check app reviews and permissions, and enable Google Play Protect to add an extra layer of security.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Posted in News on Sep 24, 2024



Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024

As we navigate the digital age, online trust has become increasingly important. Google is now experimenting with a feature that aims to strengthen this trust: verified checkmarks in search results. These blue ticks could soon help users easily identify which businesses are legitimate and trustworthy. But what does this mean for the average internet user? Let’s dive deeper into this new feature and explore its implications.



Get 12 Months of AWS Wordpress Hosting for Free

Posted in Hosting Promotions, News, Technical Solutions on Sep 08, 2022

Introduction to AWS Free Tier AWS Free Tier includes many free services which are always free and many services which are offered free for 12 months plan.



UAE to grant citizenship to expat investors and professionals

Posted in News on Jan 30, 2021

UAE to grant citizenship to expat investors and professionals including engineers, doctors, artists "The UAE cabinet, local Emiri courts & executive councils will nominate those eligible for the citizenship under clear criteria set for each category. The law allows receivers of the UAE passport to keep their existing citizenship."



[SOLVED / FIXED ] snapd error: cannot communicate with server: Post http://localhost/v2/snaps/core

Posted in Technical Solutions on Apr 15, 2022

[SOLVED / FIXED ] error: cannot communicate with server: Post http://localhost/v2/snaps/core



[SOLVED / FIXED] Kubesphere request to http //ks-apiserver/oauth/token failed

Posted in Technical Solutions on Jul 17, 2022

[SOLVED / FIXED] Kubesphere request to http //ks-apiserver/oauth/token failed



Next-Gen VPS Servers

Posted in Uncategorized on Jul 04, 2024

Next-Gen VPS servers are revolutionizing the web hosting industry by offering unparalleled performance, scalability, and security. These servers utilize advanced technologies like high-speed SSD storage and optimized resource allocation to provide superior performance compared to traditional VPS. Ideal for hosting websites, running e-commerce platforms, and application development, Next-Gen VPS servers offer a cost-effective and flexible solution for businesses and developers. Discover the benefits and features of Next-Gen VPS servers and why they are the future of web hosting.



New XEC Covid Variant Spreads To 27 Countries: Here's What We Know So Far

Posted in News on Sep 18, 2024

The new Covid-19 variant, XEC, has been making waves since its initial discovery in Germany this June. A hybrid of the omicron subvariants KS.1.1 and KP.3.3, XEC has now been detected in 27 countries, with around 500 samples identified worldwide. This variant has shown a marked increase in transmissibility, leading scientists to monitor its spread closely. While symptoms of XEC resemble those of earlier variants—such as fever, sore throat, and body aches—existing vaccines are expected to provide strong protection against severe illness. With XEC potentially becoming the dominant strain this winter, staying updated with vaccinations and maintaining good hygiene practices are crucial for staying protected.



Top Best Web Hosting Services of 2024

Posted in About Hosting by AliTech, News on Sep 02, 2024

Find the best web hosting service for your website in 2024! Compare top hosting providers like HostGator, Bluehost, and DreamHost, and discover the benefits of cloud-powered hosting with Hosting by AliTech. Limited time offer: Get up to 33.3% off your hosting plan with Hosting by AliTech!



How to Choose the Best Domain Name for Your Website

Posted in Uncategorized on Jul 09, 2024

Choosing a domain name is more than just picking a web address; it’s about creating your online identity. Your domain is the gateway to your website and plays a crucial role in how people perceive and remember your brand. It should be concise, relevant to your business, and easy to remember. In this guide, we’ll explore the key factors to consider when selecting a domain name, tips for making it memorable, and tools to help you find the perfect fit. Whether you’re starting a new venture or rebranding an existing one, choosing the right domain name is a pivotal step towards online success.



Hosting by AliTech User & Reseller Portal - 2021

Posted in About Hosting by AliTech, News on Oct 17, 2021

Hosting by AliTech User & Reseller Portal coming soon stay tuned. https://bit.ly/3tm3kZ3 https://www.hostingbyalitech.com #hostingbyalitech #alitechsolutions #userportal #resellerportal #coming #soon



Tips For Minimizing Website Downtime

Posted in Technical Solutions on Jul 02, 2024

Learn effective strategies to minimize website downtime and ensure continuous online presence.



World of Quantum Computing and Its Effects on Web Hosting and Domain Names

Posted in Uncategorized on Jul 11, 2024

Quantum computing is no longer a concept confined to the realm of theoretical physics; it has entered the mainstream, promising to revolutionize various industries. Among these, web hosting and domain name management stand to benefit significantly from the advancements in quantum computing. Quantum computers can process large datasets more efficiently, enabling faster data retrieval and processing. This can significantly reduce the time it takes to load websites, improving the overall user experience. Moreover, quantum encryption techniques offer enhanced protection, ensuring that sensitive data transmitted over the internet remains secure from cyber threats. As quantum computing continues to evolve, it is set to transform web hosting and domain management, making them more efficient, secure, and reliable.



Everything You Need to Know About Meta Connect 2024

Posted in News on Sep 23, 2024

Meta Connect 2024, happening from September 25 to 26, promises to be a groundbreaking event in the world of augmented and virtual reality. Attendees can expect exciting announcements, including the anticipated Quest 3S headset, which aims to offer a more affordable VR experience, and the innovative Orion AR glasses designed for seamless augmented reality interactions. In addition to hardware, the conference will highlight advancements in artificial intelligence, potentially unveiling an upgraded version of the Llama language model to enhance user experiences across Meta’s platforms. With live-streamed keynotes and developer sessions, Meta Connect 2024 is set to shape the future of technology and the metaverse, making it a must-watch event for enthusiasts and developers alike.



[SOLVED / FIXED ] Kubernetes / Docker could not create directory. wordpress

Posted in Technical Solutions on Apr 30, 2022

[SOLVED / FIXED ] Kubernetes / Docker could not create directory. wordpress ERROR: could not create directory SOLUTION / FIX: chown -R www-data:www-data /var/www



Exploring OpenAI's New AI Models: o1-Preview and o1-Mini – A Leap Toward More Human-Like AI

Posted in News on Sep 13, 2024

OpenAI has just unveiled its highly anticipated models, o1-preview and o1-mini, marking a significant leap in AI technology. Known initially as "Strawberry," the o1-preview model is designed to mimic human-like reasoning by taking more time to process complex questions and deliver thoughtful answers. Alongside it, the o1-mini offers a faster, more cost-effective option for tasks requiring rapid problem-solving. This article delves into the features, performance, and potential applications of these groundbreaking models, exploring how they aim to redefine AI's role in academia, coding, and beyond



This is really awesome!!! We are now ranking 🚀5th 👊😍

Posted in About Hosting by AliTech, Hosting Promotions on Jun 07, 2021

This is really awesome!!! We are now ranking 5th on TheWebHostingDir.com. To celebrate this we are giving away 5 Free Shared Hosting Accounts on first come first serve basis.



AliTech snippet featured on Google ☺️

Posted in News on Sep 06, 2020

AliTech snippet featured on Google ☺️



Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024

Texas is pioneering energy innovation with the launch of a 1-gigawatt virtual power plant (VPP) capable of supporting up to 200,000 homes during peak demand. A collaboration between NRG Energy, Renew Home, and Google Cloud, this AI-powered VPP will help Texas address its rising energy needs and boost grid stability. By aggregating energy from distributed sources like smart thermostats, electric vehicles, and home battery storage, the VPP adjusts electricity flow in real-time, optimizing energy use and reducing costs. With free smart thermostats offered to residents, Texas’ VPP empowers households to cut bills while supporting a resilient, eco-friendly energy system.




Other Blogs


Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024 and updated on Oct 08, 2024

Get 12 Months of AWS Wordpress Hosting for Free

Posted in Hosting Promotions, News, Technical Solutions on Sep 08, 2022 and updated on Sep 07, 2022

UAE to grant citizenship to expat investors and professionals

Posted in News on Jan 30, 2021 and updated on Mar 30, 2022

Next-Gen VPS Servers

Posted in Uncategorized on Jul 04, 2024 and updated on Jul 04, 2024

New XEC Covid Variant Spreads To 27 Countries: Here's What We Know So Far

Posted in News on Sep 18, 2024 and updated on Sep 18, 2024

Top Best Web Hosting Services of 2024

Posted in About Hosting by AliTech, News on Sep 02, 2024 and updated on Sep 02, 2024

How to Choose the Best Domain Name for Your Website

Posted in Uncategorized on Jul 09, 2024 and updated on Jul 09, 2024

Hosting by AliTech User & Reseller Portal - 2021

Posted in About Hosting by AliTech, News on Oct 17, 2021 and updated on Mar 14, 2022

Tips For Minimizing Website Downtime

Posted in Technical Solutions on Jul 02, 2024 and updated on Jul 02, 2024

Everything You Need to Know About Meta Connect 2024

Posted in News on Sep 23, 2024 and updated on Sep 23, 2024

AliTech snippet featured on Google ☺️

Posted in News on Sep 06, 2020 and updated on Oct 23, 2020

Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024 and updated on Nov 14, 2024

Next-Gen VPS Servers

Posted in Uncategorized on Jul 04, 2024

Next-Gen VPS Servers

Posted in Uncategorized on Jul 04, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons