A new version of Necro malware, a form of malware that first emerged in 2019, has been found to have been installed on at least 11 million devices through apps that were distributed through the Google Play store.
Discovered by researchers at Kaspersky Lab Inc., the malware was installed on Android devices through malicious advertising software development kits used by apps on Google Play, along with game modifications and modified versions of popular applications and games available through unofficial app stores.
One of the infected apps, called Wuta Camera, was downloaded more than 10 million times from Google Play. Another app, Max Browser, had more than 1 million downloads from Google’s official store. Both of the infected versions of the apps have since been removed by Google.
In both cases, the apps are said by the Kaspersky researchers to have been infected by an advertising SDK called “Coral SDK” that used obfuscation techniques to hide its malicious activities. For the second-stage payload, the malware then uses image steganography through “shellPlugin” disguised as a harmless image.
Once an Android device is infected, the malware then displays ads in invisible windows and then clicks on them, downloads executable files, installs third-party applications and opens arbitrary links in invisible windows to executive Javascript. The malware can also subscribe users to paid services without their knowledge and redirect internet traffic through infected devices, using them as proxies.
Katie Teitler-Santullo, cybersecurity strategist at application security posture management company OX Appsec Security Ltd., told SiliconANGLE via email that “while users have no control over what SDKs are used in apps, developers of the apps can, indeed, check to make sure the SDK hasn’t been tampered with.”
“For instance, developers should check to see if the SDK has been signed with a valid certificate and comes from a trusted source,” Teitler-Santullo said. “Scanning source code for malicious content and unauthorized access helps developers identify whether the code has been altered or is vulnerable to exploit.”
She added that “it’s always best practice for AppSec teams to conduct various other types of scanning including SAST, DAST, dependency and vulnerability, both to find issues before apps are deployed and during runtime.”