Man
Professional
- Messages
- 3,038
- Reaction score
- 561
- Points
- 113
In late August, a Trojan codenamed Necro was discovered in two apps on the Google Play Store marketplace. It is a multi-level downloader for running ads in the background, clicking, and generating traffic through infected Android devices. The victims of the Trojan include users from Russia, Brazil, Vietnam, Ecuador, and Mexico.
According to the report by Kaspersky Lab experts, the applications contained the Coral SDK package (as well as Jar, Cube, etc.), designed to integrate advertising modules into the application and download advertising. As soon as it got onto the device, it began sending requests to the server to download a malicious PNG file. In the process, the malware used obfuscation technology to hide its malicious activity, and used steganography to download the second-stage payload (shellPlugin) and request an image.
Attackers modified mobile applications and distributed them through third-party sites. For example, Spotify Plus through the site spotiplus[.]xyz.
— Wuta Camera and Max Browser
Another application infected with the Necro Trojan, Wuta Camera, was downloaded on Google Play more than 10 million times, and the third, Max Browser, more than 1 million.
— WhatsApp
WhatsApp was also hit, with a modification containing malicious “necronics” also distributed via third-party sites. The modification imitated the legitimate om.leapzip.animatedstickers.maker.android package with stickers for the messenger.
The distinctive feature is that this modification did not use obfuscation, but rather used Google's Firebase Remote Config cloud service as a server. It stored information about the files that needed to be downloaded and executed.
— Minecraft and others
In addition to modifications of Spotify and WhatsApp, as well as Wuta Camera and Max Browser from Google Play, experts also found other applications with “malicious” filling, such as Minecraft, Stumble Guys, etc. According to experts, their developers used unverified solutions for integrating advertising modules, thus infecting their applications.
Once the user installed the malicious app on their device, it gained access to download various modules and plugins. The malware could launch viewing and clicking on ads that opened in the background on the device.
Like the Joker malware, which was once also found in mobile apps in the Google Play Store, Necro could also subscribe users to paid subscriptions. To do this, it could add any additional information to the URL parameters.
In addition, the attackers created an entire proxy botnet from infected devices and used them to direct traffic to the resources they needed.
According to Google's calculations, apps from the Play Store were downloaded more than 11 million times, however, the exact number of victims is impossible to calculate, since various modifications of popular apps were distributed through third-party resources.
The Necro malware has previously been spotted on Google Play. In 2019, cybersecurity experts discovered the CamScanner app infected with it, with a total number of downloads exceeding 100 million times.
According to the report by Kaspersky Lab experts, the applications contained the Coral SDK package (as well as Jar, Cube, etc.), designed to integrate advertising modules into the application and download advertising. As soon as it got onto the device, it began sending requests to the server to download a malicious PNG file. In the process, the malware used obfuscation technology to hide its malicious activity, and used steganography to download the second-stage payload (shellPlugin) and request an image.
Spotify, Minecraft, WhatsApp Under Attack
— Spotify PlusAttackers modified mobile applications and distributed them through third-party sites. For example, Spotify Plus through the site spotiplus[.]xyz.
— Wuta Camera and Max Browser
Another application infected with the Necro Trojan, Wuta Camera, was downloaded on Google Play more than 10 million times, and the third, Max Browser, more than 1 million.
WhatsApp was also hit, with a modification containing malicious “necronics” also distributed via third-party sites. The modification imitated the legitimate om.leapzip.animatedstickers.maker.android package with stickers for the messenger.
The distinctive feature is that this modification did not use obfuscation, but rather used Google's Firebase Remote Config cloud service as a server. It stored information about the files that needed to be downloaded and executed.
— Minecraft and others
In addition to modifications of Spotify and WhatsApp, as well as Wuta Camera and Max Browser from Google Play, experts also found other applications with “malicious” filling, such as Minecraft, Stumble Guys, etc. According to experts, their developers used unverified solutions for integrating advertising modules, thus infecting their applications.
Once the user installed the malicious app on their device, it gained access to download various modules and plugins. The malware could launch viewing and clicking on ads that opened in the background on the device.
Like the Joker malware, which was once also found in mobile apps in the Google Play Store, Necro could also subscribe users to paid subscriptions. To do this, it could add any additional information to the URL parameters.
In addition, the attackers created an entire proxy botnet from infected devices and used them to direct traffic to the resources they needed.
According to Google's calculations, apps from the Play Store were downloaded more than 11 million times, however, the exact number of victims is impossible to calculate, since various modifications of popular apps were distributed through third-party resources.
The Necro malware has previously been spotted on Google Play. In 2019, cybersecurity experts discovered the CamScanner app infected with it, with a total number of downloads exceeding 100 million times.
