11 Million Devices Infected with Botnet Malware Hosted in Google Play: A Detailed Overview

Introduction

Google Play, the trusted app store for Android devices, has faced multiple security breaches over the years. One of the most alarming is the infiltration of malware through legitimate apps. Recently, a new wave of malware, known as Necro, has emerged, affecting over 11 million devices. This article delves into how Necro infiltrated Google Play, the techniques it uses, and the consequences of its spread.

The Re-Emergence of Necro: A Familiar Threat

What is Necro Malware?

Necro is a notorious malware family known for its stealth and modular nature. First identified in 2019, Necro has evolved to become more sophisticated, with its latest version now using advanced methods like steganography (a technique that hides malicious data within seemingly harmless files) to infect devices. This malware is particularly dangerous because it can spread through legitimate apps available in Google Play, making it harder to detect and avoid.

Necro’s Infiltration of Google Play in 2019

In 2019, researchers discovered that a seemingly legitimate Android app on Google Play had been secretly infected with malware. This malware was embedded through a Software Development Kit (SDK) used by developers to generate advertising revenue. Once integrated into the app, the SDK allowed attackers to control infected devices, enabling them to download and execute hidden payloads. This caused millions of devices to be connected to attacker-controlled servers.

Necro's Return in 2024

Fast forward to 2024, and Necro is back, infecting over 11 million devices. This time, researchers from the security firm Kaspersky found that two popular apps—Wuta Camera and Max Browser—had been compromised. The malware was distributed through a malicious SDK, once again using legitimate apps as a vehicle for infection.

How Necro Malware Infects Devices

The Role of Malicious SDKs

Software Development Kits (SDKs) are essential tools for app developers, offering ready-made solutions for common tasks like displaying ads or managing user interactions. Unfortunately, these SDKs can be exploited, as was the case with Necro. The malicious SDK embedded in apps like Wuta Camera and Max Browser allowed attackers to remotely control infected devices. Once installed, the apps would communicate with attacker-controlled servers, downloading malicious code that could be executed at any time.

Stealthy Techniques: Steganography and Obfuscation

Necro uses sophisticated techniques to remain undetected. One of the standout methods is steganography, where malicious data is hidden within seemingly benign images. This method is rarely seen in mobile malware but was used by Necro to download additional payloads from attacker-controlled servers. By embedding malicious code within PNG images, the malware could evade detection by antivirus software.

The SDK module also employed obfuscation techniques, such as the use of the OLLVM tool, to hide its true purpose. Obfuscation makes the code more difficult to analyze, further complicating efforts to detect and remove the malware.

Command-and-Control Communication

Once the device is infected, it establishes communication with a command-and-control server. This server sends encrypted instructions to the infected device, which can include downloading additional payloads or executing specific tasks. The malware uses encrypted JSON data to transmit information about the compromised device, making it challenging for security researchers to trace and analyze its behavior.

The Impact of Necro Malware on Infected Devices

Adware and Subscription Fraud

One of the most immediate effects of Necro is the display of unwanted ads through invisible WebView windows. These ads are shown in the background, generating fraudulent revenue for the attackers without the user’s knowledge. Additionally, Necro can facilitate subscription fraud, where users are unknowingly signed up for paid services, racking up charges on their accounts.

Elevated System Privileges

Necro is designed to operate with elevated system privileges, giving it significant control over the infected device. This includes the ability to download and execute arbitrary code, modify system files, and bypass security measures. By exploiting vulnerabilities in Android’s WebView component, Necro can run malicious code with enhanced privileges, further increasing its ability to cause harm.

Infected Devices as Proxies for Malicious Traffic

Another concerning feature of Necro is its ability to turn infected devices into proxies for routing malicious traffic. This makes it harder for law enforcement and cybersecurity experts to trace the origin of attacks, as the malicious activity appears to come from legitimate devices scattered around the world.

Which Apps Were Infected?

Wuta Camera

One of the apps identified as being infected with Necro was Wuta Camera, a popular photo editing app with over 10 million downloads. The malicious SDK was embedded in versions 6.3.2.148 through 6.3.6.148. Although the app has since been updated to remove the malware, any device that installed these versions remains at risk of infection.

Max Browser

Another app compromised by Necro was Max Browser, a web browsing app with over 1 million downloads. Unlike Wuta Camera, Max Browser was removed from Google Play following Kaspersky’s report. However, users who had already downloaded the app remain vulnerable, as no clean version is available for upgrade.

Necro Beyond Google Play

Infection via Modified Versions of Popular Apps

While Google Play remains a significant distribution channel for Necro, the malware has also spread through modified versions of popular apps. These “mods” are often found on unofficial app stores and websites, promising enhanced features like ad-free Spotify or modified versions of WhatsApp with extended privacy settings. In reality, these modified apps often come bundled with Necro malware, infecting unsuspecting users who download them.

High-Risk Apps Identified

Some of the high-risk apps identified by researchers include:

GBWhatsApp and FMWhatsApp: Modified versions of WhatsApp with extended file-sharing limits and enhanced privacy features.
Spotify Plus: A modified version of Spotify that promises free, ad-free premium access.
Minecraft Mods: Mods for popular games like Minecraft, Stumble Guys, and Car Parking Multiplayer that are infected with Necro.

These apps are often distributed through unofficial websites, making it difficult to track the full extent of the infections.

How to Protect Your Device from Necro

Uninstall Infected Apps

If you have downloaded Wuta Camera or Max Browser, the first step is to uninstall the app immediately. This will prevent further malicious activity and stop the malware from spreading to other apps or devices.

Run a Security Scan

Next, run a security scan using a reputable antivirus app. Many antivirus programs can detect and remove Necro and its associated payloads, helping to clean your device of any lingering malware.

Enable Google Play Protect

Google Play Protect is a built-in security feature that scans apps for malware before they are installed. Make sure this feature is enabled to help prevent future infections. If you have disabled it for any reason, now is the time to turn it back on.

Be Wary of Third-Party App Stores

Avoid downloading apps from third-party app stores or unofficial websites. These sources are not subject to the same security standards as Google Play, making them more likely to distribute malware-infected apps.

Conclusion

The re-emergence of Necro malware highlights the growing sophistication of mobile malware threats. With 11 million devices infected through Google Play, it’s clear that even trusted platforms are not immune to malware attacks. By understanding how Necro operates and taking steps to protect your device, you can reduce your risk of falling victim to this dangerous malware.

FAQs

1. What is Necro malware?

Necro is a family of malware that targets Android devices. It spreads through legitimate apps, infecting devices by embedding malicious code into the app’s SDK.

2. How does Necro infect devices?

Necro infects devices through legitimate apps, primarily using malicious SDKs. It can also spread through modified versions of popular apps available on unofficial app stores.

3. What should I do if I think my device is infected?

If you suspect your device is infected, uninstall any apps you believe may be compromised, run a security scan using a reputable antivirus program, and ensure that Google Play Protect is enabled.

4. How does Necro use steganography?

Necro uses steganography to hide malicious code within images. This makes it more difficult for antivirus programs to detect the malware, as it appears to be part of a harmless image file.

5. Are apps on Google Play safe?

While Google Play is generally considered safe, it’s not immune to malware. Always check app reviews and permissions, and enable Google Play Protect to add an extra layer of security.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Posted in News on Sep 24, 2024

OpenAI Just Announced New AI Features: Key Takeaways from DevDay

Posted in News on Oct 02, 2024

OpenAI has once again made headlines with a series of groundbreaking announcements at its recent developer event, DevDay. These updates promise to change the way developers and entrepreneurs build AI-powered products. Whether you're working on a new voice assistant or simply trying to optimize API usage, these new features will play a pivotal role in enhancing the performance and accessibility of AI technologies. In this article, we’ll break down everything you need to know about the new tools and capabilities OpenAI announced. From AI voice assistants to cutting-edge API updates, these innovations are setting the stage for the future of AI.

Comprehensive Guide to Choosing the Right Domain and Hosting Services for Startups

Posted in Uncategorized on Jul 01, 2024

In today’s digital landscape, choosing the right domain name and hosting services is crucial for startups aiming to establish a strong online presence. This comprehensive guide explores the importance of domain selection, optimal hosting solutions, and popular CMS platforms like WordPress, WooCommerce, Joomla, and more. Whether you're deploying NodeJS, Django, Ruby on Rails, React, or other frameworks, understanding these elements is essential for scalable growth and seamless user experiences.

How to Install Remote Desktop (RDP) on CentOS 7

Posted in Technical Solutions on Aug 26, 2022

How to Install Remote Desktop (RDP) on CentOS 7 How to install XRDP

Razer Enters AI Market with New Gaming Assistant Project Ava

Posted in News on Jan 08, 2025

Razer's Project Ava, an AI-powered gaming assistant, is set to revolutionize the gaming industry with real-time strategic advice, post-match coaching, and hardware optimization, catering to both esports professionals and casual players alike.

Litespeed performance comparison

Posted in News on Sep 08, 2022

Our server supports Lite Speed webserver: With the power of LiteSpeed server your websites will have outclass performance see the difference. The benchmark shows the difference of Magneto performance on LiteSpeed server, Nginx & Apache.

Meta's Fight Against Celebrity Investment Scam Ads with Facial Recognition Technology

Posted in News on Oct 23, 2024

Meta, the parent company of Facebook and Instagram, has taken significant steps in its ongoing battle against celebrity investment scam ads by leveraging facial recognition technology. These scam ads often involve deepfake images of celebrities like Gina Rinehart and Guy Sebastian, tricking users into believing false endorsements. This new initiative aims to quickly and accurately detect these fraudulent ads and remove them before they reach unsuspecting users.

World of Quantum Computing and Its Effects on Web Hosting and Domain Names

Posted in Uncategorized on Jul 11, 2024

Quantum computing is no longer a concept confined to the realm of theoretical physics; it has entered the mainstream, promising to revolutionize various industries. Among these, web hosting and domain name management stand to benefit significantly from the advancements in quantum computing. Quantum computers can process large datasets more efficiently, enabling faster data retrieval and processing. This can significantly reduce the time it takes to load websites, improving the overall user experience. Moreover, quantum encryption techniques offer enhanced protection, ensuring that sensitive data transmitted over the internet remains secure from cyber threats. As quantum computing continues to evolve, it is set to transform web hosting and domain management, making them more efficient, secure, and reliable.

General Motors (GM) Lays Off Over 1,000 Salaried Software, Services Employees

Posted in News on Aug 20, 2024

General Motors (GM) has announced the layoff of over 1,000 salaried employees from its software and services divisions, signaling a major shift in its strategic focus. The cuts, affecting both domestic and international positions, come as GM aims to streamline operations and prioritize high-impact projects such as enhancing its Super Cruise driver assistance system and exploring artificial intelligence. This move follows a review after the departure of former executive Mike Abbott and reflects GM's broader push towards innovation in the rapidly evolving automotive sector.

How to Install Python 3.10 on Ubuntu 20.04 LTS & Ubuntu 18.04

Posted in Technical Solutions on Jan 02, 2022

How to Install Python 3.10 on Ubuntu 20.04 LTS & Ubuntu 18.04 Python is a programming language that lets you work more quickly and integrate...

4 tips to enable Nested Virtualization like a PRO

Posted in Technical Solutions on Oct 17, 2021

Nested virtualization is used to enable, use or create virtual machines within virtual machines, consider Virtualbox is running CentOS virtual machine

Google Gemini’s Memory Feature: Personalizing AI Interactions

Posted in News on Nov 21, 2024

Google Gemini's new memory feature takes AI personalization to the next level. By allowing users to input specific preferences and details, Gemini tailors its responses to better suit individual needs. Whether it's adjusting to dietary requirements or prioritizing professional interests, this feature offers a more relevant and engaging experience. Unlike other AI systems, Gemini gives users full control over what information is remembered, ensuring privacy and transparency. Available to subscribers of the Google One AI Premium plan, this feature is set to redefine how we interact with AI chatbots.

Mastering WooCommerce SEO: A Complete Guide to Optimize Your Online Store

Posted on Dec 05, 2024

Discover the ultimate guide to WooCommerce SEO and learn how to optimize your online store for better visibility, increased traffic, and higher sales with proven strategies and tools

[SOLVED / FIXED] Django error 400 bad request

Posted in Technical Solutions on Jul 04, 2021

[SOLEVED] Django error 400 bad request

[SOLVED / FIXED] : File Explorer is crashing on right click Windows 10 | Windows 8 | Windows 7 | Windows XP

Posted in Technical Solutions on Apr 01, 2021

[SOLVED] : File Explorer is crashing on right click Windows 10 Issue: When you right click on File Explorer sidebar with Windows Explorer / File Explorer crashes.

Now hiring Wordpress PHP Developer (Remote / Office) - 2022

Posted in Jobs on Feb 28, 2022

Now hiring Wordpress PHP Developer (Remote / Office): Required Wordpress CSS, HTML, Javascript, PHP

The Role of Artificial Intelligence in Hollywood: Ben Affleck’s Perspective

Posted in News on Nov 26, 2024

Ben Affleck, the renowned actor and director, shared his perspective on artificial intelligence's role in Hollywood, emphasizing that AI can streamline laborious tasks but cannot replace human creativity. Speaking at CNBC’s Delivering Alpha 2024 summit, Affleck highlighted AI's limitations in originality and its inability to replicate the emotional depth achieved through human interaction. While optimistic about AI reducing filmmaking costs and democratizing the industry, he stressed its role as a tool, not a creator. Affleck’s nuanced insights provide a balanced view of AI as a complement to human creativity rather than a replacement.

IBM Develops AI Agents to Automate Software Engineering Tasks

Posted in News on Nov 08, 2024

Get ready to revolutionize software development with AI! IBM's latest innovation uses AI agents to automate tasks, improve code quality, and streamline development. Discover how AI-driven software development can transform industries and change the game

How to Choose the Best Domain Name for Your Website

Posted in Uncategorized on Jul 09, 2024

Choosing a domain name is more than just picking a web address; it’s about creating your online identity. Your domain is the gateway to your website and plays a crucial role in how people perceive and remember your brand. It should be concise, relevant to your business, and easy to remember. In this guide, we’ll explore the key factors to consider when selecting a domain name, tips for making it memorable, and tools to help you find the perfect fit. Whether you’re starting a new venture or rebranding an existing one, choosing the right domain name is a pivotal step towards online success.