Two Malicious Apps on Google Play Infect 11 Million Devices Worldwide: Are You Safe?

Researchers from Kaspersky have identified a resurgence of the Necro malware in two popular Android apps, affecting over 11 million users. This malicious code, concealed within legitimate-looking apps, has once again raised concerns about the security of mobile apps on Google Play.

The malware was spread through a compromised software developer kit (SDK) that allowed attackers to exploit users' devices without their knowledge.

Necro Malware Returns via SDK Vulnerability

Necro malware is not a new threat; it was first discovered five years ago when a similar SDK infected 100 million devices. The latest attack also involves a compromised SDK, used by developers to monetize their apps through advertising.

However, the SDK contained hidden malware that secretly communicated with attacker-controlled servers. Once installed on a device, the malware collected user data and downloaded additional malicious code.

The Role of SDKs in App Infections

SDKs are widely used by app developers to simplify the app development process. They provide essential frameworks for tasks like displaying ads. Unfortunately, this time, the SDK in question was not just supporting ads but was also facilitating unauthorized access to users' devices.

Kaspersky researchers revealed that the malware operates by sending encrypted JSON data to a command-and-control server. The server responds with a PNG image, which is then processed using a steganographic technique to hide malicious code within the image's pixels. This method allows the malware to evade detection by hiding its payload in seemingly harmless image files.

Advanced Malware Techniques: Steganography and Elevated Rights

The Necro malware uses a clever steganographic technique, rarely seen in mobile malware, to extract malicious code from images. By manipulating the blue channel of the image's pixels, the malware can decode a hidden JAR file, which is then executed on the device. The malicious code can perform a range of actions, including running with elevated system rights, making it difficult for the user to detect or stop its activities.

One particularly dangerous feature of Necro is its ability to bypass Android's WebView security restrictions. Using a reflection attack, the malware creates a separate instance of WebView, allowing it to alter URLs and even subscribe users to paid services without their consent. This feature opens the door for attackers to run various malicious plugins, depending on the device they have compromised.

Infected Apps and How to Stay Safe

The researchers identified two specific apps on Google Play that were infected with Necro:

• Wuta Camera (Versions 6.3.2.148 - 6.3.6.148): This app has been updated to remove the malicious SDK. Users should update immediately.
• Max Browser: This app has been removed from Google Play.

Kaspersky also found Necro infecting modified versions of popular apps downloaded from unofficial sources, including:

• Spotify
• Minecraft
• WhatsApp
• Stumble Guys
• Car Parking Multiplayer
• Melon Sandbox

Even official app stores like Google Play aren't completely safe from malware, as shown by this malware. While they provide some security, harmful apps can still get through. Users need to stay cautious and carefully review apps before downloading them to keep their devices safe.

Via
Source