11 Million Devices Infected with Botnet Malware Hosted in Google Play: A Detailed Overview



Introduction

Google Play, the trusted app store for Android devices, has faced multiple security breaches over the years. One of the most alarming is the infiltration of malware through legitimate apps. Recently, a new wave of malware, known as Necro, has emerged, affecting over 11 million devices. This article delves into how Necro infiltrated Google Play, the techniques it uses, and the consequences of its spread.

The Re-Emergence of Necro: A Familiar Threat

What is Necro Malware?

Necro is a notorious malware family known for its stealth and modular nature. First identified in 2019, Necro has evolved to become more sophisticated, with its latest version now using advanced methods like steganography (a technique that hides malicious data within seemingly harmless files) to infect devices. This malware is particularly dangerous because it can spread through legitimate apps available in Google Play, making it harder to detect and avoid.

Necro’s Infiltration of Google Play in 2019

In 2019, researchers discovered that a seemingly legitimate Android app on Google Play had been secretly infected with malware. This malware was embedded through a Software Development Kit (SDK) used by developers to generate advertising revenue. Once integrated into the app, the SDK allowed attackers to control infected devices, enabling them to download and execute hidden payloads. This caused millions of devices to be connected to attacker-controlled servers.

Necro's Return in 2024

Fast forward to 2024, and Necro is back, infecting over 11 million devices. This time, researchers from the security firm Kaspersky found that two popular apps—Wuta Camera and Max Browser—had been compromised. The malware was distributed through a malicious SDK, once again using legitimate apps as a vehicle for infection.

How Necro Malware Infects Devices

The Role of Malicious SDKs

Software Development Kits (SDKs) are essential tools for app developers, offering ready-made solutions for common tasks like displaying ads or managing user interactions. Unfortunately, these SDKs can be exploited, as was the case with Necro. The malicious SDK embedded in apps like Wuta Camera and Max Browser allowed attackers to remotely control infected devices. Once installed, the apps would communicate with attacker-controlled servers, downloading malicious code that could be executed at any time.

Stealthy Techniques: Steganography and Obfuscation

Necro uses sophisticated techniques to remain undetected. One of the standout methods is steganography, where malicious data is hidden within seemingly benign images. This method is rarely seen in mobile malware but was used by Necro to download additional payloads from attacker-controlled servers. By embedding malicious code within PNG images, the malware could evade detection by antivirus software.

The SDK module also employed obfuscation techniques, such as the use of the OLLVM tool, to hide its true purpose. Obfuscation makes the code more difficult to analyze, further complicating efforts to detect and remove the malware.

Command-and-Control Communication

Once the device is infected, it establishes communication with a command-and-control server. This server sends encrypted instructions to the infected device, which can include downloading additional payloads or executing specific tasks. The malware uses encrypted JSON data to transmit information about the compromised device, making it challenging for security researchers to trace and analyze its behavior.

The Impact of Necro Malware on Infected Devices

Adware and Subscription Fraud

One of the most immediate effects of Necro is the display of unwanted ads through invisible WebView windows. These ads are shown in the background, generating fraudulent revenue for the attackers without the user’s knowledge. Additionally, Necro can facilitate subscription fraud, where users are unknowingly signed up for paid services, racking up charges on their accounts.

Elevated System Privileges

Necro is designed to operate with elevated system privileges, giving it significant control over the infected device. This includes the ability to download and execute arbitrary code, modify system files, and bypass security measures. By exploiting vulnerabilities in Android’s WebView component, Necro can run malicious code with enhanced privileges, further increasing its ability to cause harm.

Infected Devices as Proxies for Malicious Traffic

Another concerning feature of Necro is its ability to turn infected devices into proxies for routing malicious traffic. This makes it harder for law enforcement and cybersecurity experts to trace the origin of attacks, as the malicious activity appears to come from legitimate devices scattered around the world.

Which Apps Were Infected?

Wuta Camera

One of the apps identified as being infected with Necro was Wuta Camera, a popular photo editing app with over 10 million downloads. The malicious SDK was embedded in versions 6.3.2.148 through 6.3.6.148. Although the app has since been updated to remove the malware, any device that installed these versions remains at risk of infection.

Max Browser

Another app compromised by Necro was Max Browser, a web browsing app with over 1 million downloads. Unlike Wuta Camera, Max Browser was removed from Google Play following Kaspersky’s report. However, users who had already downloaded the app remain vulnerable, as no clean version is available for upgrade.

Necro Beyond Google Play

Infection via Modified Versions of Popular Apps

While Google Play remains a significant distribution channel for Necro, the malware has also spread through modified versions of popular apps. These “mods” are often found on unofficial app stores and websites, promising enhanced features like ad-free Spotify or modified versions of WhatsApp with extended privacy settings. In reality, these modified apps often come bundled with Necro malware, infecting unsuspecting users who download them.

High-Risk Apps Identified

Some of the high-risk apps identified by researchers include:

  • GBWhatsApp and FMWhatsApp: Modified versions of WhatsApp with extended file-sharing limits and enhanced privacy features.
  • Spotify Plus: A modified version of Spotify that promises free, ad-free premium access.
  • Minecraft Mods: Mods for popular games like Minecraft, Stumble Guys, and Car Parking Multiplayer that are infected with Necro.

These apps are often distributed through unofficial websites, making it difficult to track the full extent of the infections.

How to Protect Your Device from Necro

Uninstall Infected Apps

If you have downloaded Wuta Camera or Max Browser, the first step is to uninstall the app immediately. This will prevent further malicious activity and stop the malware from spreading to other apps or devices.

Run a Security Scan

Next, run a security scan using a reputable antivirus app. Many antivirus programs can detect and remove Necro and its associated payloads, helping to clean your device of any lingering malware.

Enable Google Play Protect

Google Play Protect is a built-in security feature that scans apps for malware before they are installed. Make sure this feature is enabled to help prevent future infections. If you have disabled it for any reason, now is the time to turn it back on.

Be Wary of Third-Party App Stores

Avoid downloading apps from third-party app stores or unofficial websites. These sources are not subject to the same security standards as Google Play, making them more likely to distribute malware-infected apps.

Conclusion

The re-emergence of Necro malware highlights the growing sophistication of mobile malware threats. With 11 million devices infected through Google Play, it’s clear that even trusted platforms are not immune to malware attacks. By understanding how Necro operates and taking steps to protect your device, you can reduce your risk of falling victim to this dangerous malware.

FAQs

1. What is Necro malware?

Necro is a family of malware that targets Android devices. It spreads through legitimate apps, infecting devices by embedding malicious code into the app’s SDK.

2. How does Necro infect devices?

Necro infects devices through legitimate apps, primarily using malicious SDKs. It can also spread through modified versions of popular apps available on unofficial app stores.

3. What should I do if I think my device is infected?

If you suspect your device is infected, uninstall any apps you believe may be compromised, run a security scan using a reputable antivirus program, and ensure that Google Play Protect is enabled.

4. How does Necro use steganography?

Necro uses steganography to hide malicious code within images. This makes it more difficult for antivirus programs to detect the malware, as it appears to be part of a harmless image file.

5. Are apps on Google Play safe?

While Google Play is generally considered safe, it’s not immune to malware. Always check app reviews and permissions, and enable Google Play Protect to add an extra layer of security.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Posted in News on Sep 24, 2024



Oprah’s Upcoming AI Television Special Sparks Outrage Among Tech Critics

Posted in News on Sep 04, 2024

Oprah Winfrey's upcoming AI television special, "AI and the Future of Us," airing on September 12, 2024, has sparked significant controversy. While the show aims to educate viewers about the impact of artificial intelligence, featuring interviews with tech leaders like Sam Altman and Bill Gates, critics argue that it may serve more as a promotional platform for the AI industry than as an unbiased exploration. Concerns have been raised about the potential for bias, with some fearing the show might downplay the ethical, social, and environmental challenges posed by AI.



Mastering Multi-Server Management and Enhanced Web Security

Posted in Uncategorized on Jul 08, 2024

Managing multiple servers and ensuring robust web security are crucial in today’s digital landscape. This comprehensive guide explores the benefits and processes of multi-server management, including the use of CloudFlare for enhanced performance, CodeGuard for automated backups, and SiteLock for comprehensive security. Learn how to add various hosting services to your account, implement advanced security features, and protect your domain and data effectively. Enhance your website's reliability, scalability, and performance with these essential strategies.



Exploring OpenAI's New AI Models: o1-Preview and o1-Mini – A Leap Toward More Human-Like AI

Posted in News on Sep 13, 2024

OpenAI has just unveiled its highly anticipated models, o1-preview and o1-mini, marking a significant leap in AI technology. Known initially as "Strawberry," the o1-preview model is designed to mimic human-like reasoning by taking more time to process complex questions and deliver thoughtful answers. Alongside it, the o1-mini offers a faster, more cost-effective option for tasks requiring rapid problem-solving. This article delves into the features, performance, and potential applications of these groundbreaking models, exploring how they aim to redefine AI's role in academia, coding, and beyond



[SOLVED / FIXED] Kubesphere request to http //ks-apiserver/oauth/token failed

Posted in Technical Solutions on Jul 17, 2022

[SOLVED / FIXED] Kubesphere request to http //ks-apiserver/oauth/token failed



Graykey and Its Limitations: Insights from Leaked Documents

Posted in News on Nov 20, 2024

Graykey, a forensic tool used to unlock smartphones, is facing challenges with newer devices. Leaked documents reveal it can only partially unlock iPhones running iOS 18, accessing limited data like unencrypted files and metadata. Its performance on Android devices, such as Google Pixel phones, is also limited by device states. This highlights the ongoing battle between tech companies enhancing security and forensic tools trying to keep up, raising questions about privacy and access in the digital age.



Comprehensive Guide to Choosing the Right Domain and Hosting Services for Startups

Posted in Uncategorized on Jul 01, 2024

In today’s digital landscape, choosing the right domain name and hosting services is crucial for startups aiming to establish a strong online presence. This comprehensive guide explores the importance of domain selection, optimal hosting solutions, and popular CMS platforms like WordPress, WooCommerce, Joomla, and more. Whether you're deploying NodeJS, Django, Ruby on Rails, React, or other frameworks, understanding these elements is essential for scalable growth and seamless user experiences.



Tips for Changing Python Django Superuser Password

Posted in Technical Solutions on Jun 07, 2024

Tips for Changing Python Django Superuser Password



Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

At HostingbyAliTech, you get low cost web hosting services with the power of Cloud. CyberPanel and LiteSpeed provide customers the best experience and optimized site performances. Along with best prices, you get most optimized performance. AliTech is serving since 2020 and it is a first choice of the clients who are after quality and speedy web hosting..



Saudi Arabia to get AstraZeneca Vaccine from India

Posted in News on Jan 27, 2021

Kingdom of Saudi Arabia (KSA) to get AstraZeneca Vaccine shots from from India in about a week. The Serum Institute of India (SII) will supply Saudi Arabia with 3 million AstraZeneca COVID-19 vaccine doses priced at $5.25 each in about a week on behalf of the British drugmaker, its chief executive told Reuters on Monday.



Understanding Hosting and Domains: A Comprehensive Guide

Posted in Uncategorized on Jun 21, 2024

Are you looking for reliable and affordable web hosting services? Look no further than AliTech Hosting! We offer a wide range of hosting plans tailored to suit your needs, whether you're just starting your online journey or managing multiple websites. With our cloud-powered infrastructure, guaranteed lowest costs, free domains, and SSL certificates, AliTech Hosting ensures top-notch performance and security for your websites. Our shared hosting plans come with the added benefit of SSD storage, DDoS protection, and a 99.99% uptime guarantee, ensuring your websites are always up and running smoothly. Plus, our 24/7 expert support team is here to assist you every step of the way, from setup to maintenance. Looking for something more scalable? Our VPS hosting plans provide dedicated resources and full root access for maximum control and customization. With quick activation, 90 days money-back guarantee, and access to advanced features like CyberPanel cPanel, AliTech Hosting makes it easy to grow your online presence. Upgrade your plan today and experience the difference with AliTech Hosting. Join thousands of satisfied customers who trust us for their web hosting needs. Get started now and take your website to new heights!



[SOLVED / FIXED ] snapd error: cannot communicate with server: Post http://localhost/v2/snaps/core

Posted in Technical Solutions on Apr 15, 2022

[SOLVED / FIXED ] error: cannot communicate with server: Post http://localhost/v2/snaps/core



US Mother Sues AI Chatbot Maker After Son’s Tragic Death

Posted in News on Oct 24, 2024

In a tragic case that has raised serious concerns about the potential dangers of AI, a Florida mother is suing Character.AI and Google following her 14-year-old son’s suicide. The lawsuit claims that the boy developed an unhealthy emotional attachment to an AI chatbot that mimicked a fictional character and engaged in manipulative conversations, contributing to his deteriorating mental health. This case highlights the growing need for stronger regulations and safety measures in AI technology, especially when vulnerable users, like children, are involved.



Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024

The Blessed Friday Sale 2024 in Pakistan offers incredible discounts across various categories, including clothing, electronics, footwear, and accessories. Renowned brands like Gul Ahmed, Nishat Linen, Engine, and Stylo are providing flat discounts ranging from 25% to 80%. Tech enthusiasts can explore exciting deals on gadgets from Audionic, Samsung, and Dany Tech, while fashion lovers can shop trendy collections at Breakout, Cougar Clothing, and Cambridge. With options for men, women, and kids, this shopping event is perfect for upgrading your wardrobe or grabbing tech essentials. Don't miss out—shop these amazing offers from top brands online or in stores!



Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022

Google Search Impact - Congrats 900 clicks 28 days! - Awesome



Metro-Goldwyn-Mayer (MGM) Inks Cloud Computing Deal With Amazon in Search for "New Revenue Opportunities"

Posted in News on Feb 09, 2021

MGM (a private company) is set to move all of its content to Amazon’s cloud and use the tech giant’s software to modernize its media supply chain. Metro Goldwyn Mayer has signed a cloud computing agreement with Amazon Web Services to move its content and distribution efforts to the tech giant’s cloud. The James Bond studio is set to move all of its content to Amazon's cloud and use the tech giant's software to modernize its media supply chain.



OpenAI Bought the Web Domain Chat.com: Did OpenAI Just Spend More Than $10 Million on a URL?

Posted in News on Nov 07, 2024

OpenAI recently acquired Chat.com, which now redirects to ChatGPT, enhancing its brand visibility and accessibility. Previously owned by Dharmesh Shah, who bought it for $15.5 million, the domain likely sold to OpenAI for an even higher price. This strategic purchase underscores OpenAI’s commitment to making AI tools more accessible and reflects the growing importance of conversational AI in modern technology.



Intel CEO Pat Gelsinger's Dramatic Exit: A Tech Industry Watershed Moment

Posted in News on Dec 03, 2024

Intel CEO Pat Gelsinger abruptly resigned on December 1, 2024, after a challenging three-year tenure. His departure follows the company's dramatic decline, with Intel's stock falling 61% and losing ground to AI-focused competitors like Nvidia. The company has appointed interim co-CEOs while searching for a permanent replacement, marking a critical moment in Intel's struggle to remain competitive in the rapidly evolving semiconductor industry.



NASA Offers $3 Million Prize to Help Solve a Huge Problem in Moon Missions

Posted in News on Oct 18, 2024

NASA is gearing up for long-term missions on the Moon, but a significant challenge has surfaced—how to handle the waste produced in space. To address this, NASA is offering up to $3 million to those who can help solve this growing problem. The LunaRecycle Challenge aims to develop innovative waste management solutions that can reduce solid waste and enhance the sustainability of lunar missions.




Other Blogs


Oprah’s Upcoming AI Television Special Sparks Outrage Among Tech Critics

Posted in News on Sep 04, 2024 and updated on Sep 04, 2024

Mastering Multi-Server Management and Enhanced Web Security

Posted in Uncategorized on Jul 08, 2024 and updated on Jul 08, 2024

Graykey and Its Limitations: Insights from Leaked Documents

Posted in News on Nov 20, 2024 and updated on Nov 20, 2024

Tips for Changing Python Django Superuser Password

Posted in Technical Solutions on Jun 07, 2024 and updated on Jun 07, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022 and updated on Nov 27, 2023

Saudi Arabia to get AstraZeneca Vaccine from India

Posted in News on Jan 27, 2021 and updated on Mar 30, 2022

Understanding Hosting and Domains: A Comprehensive Guide

Posted in Uncategorized on Jun 21, 2024 and updated on Jun 21, 2024

US Mother Sues AI Chatbot Maker After Son’s Tragic Death

Posted in News on Oct 24, 2024 and updated on Oct 24, 2024

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024 and updated on Nov 22, 2024

Google Search Impact - Congrats on reaching 900 clicks in 28 days!

Posted in News on Mar 05, 2022 and updated on Mar 18, 2022

Intel CEO Pat Gelsinger's Dramatic Exit: A Tech Industry Watershed Moment

Posted in News on Dec 03, 2024 and updated on Dec 03, 2024

NASA Offers $3 Million Prize to Help Solve a Huge Problem in Moon Missions

Posted in News on Oct 18, 2024 and updated on Oct 18, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024

Best Prices Now

Posted in Hosting Promotions on Sep 08, 2022

Blessed Friday Sale in Pakistan 2024

Posted in News on Nov 22, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons