11 Million Devices Infected with Botnet Malware Hosted in Google Play: A Detailed Overview



Introduction

Google Play, the trusted app store for Android devices, has faced multiple security breaches over the years. One of the most alarming is the infiltration of malware through legitimate apps. Recently, a new wave of malware, known as Necro, has emerged, affecting over 11 million devices. This article delves into how Necro infiltrated Google Play, the techniques it uses, and the consequences of its spread.

The Re-Emergence of Necro: A Familiar Threat

What is Necro Malware?

Necro is a notorious malware family known for its stealth and modular nature. First identified in 2019, Necro has evolved to become more sophisticated, with its latest version now using advanced methods like steganography (a technique that hides malicious data within seemingly harmless files) to infect devices. This malware is particularly dangerous because it can spread through legitimate apps available in Google Play, making it harder to detect and avoid.

Necro’s Infiltration of Google Play in 2019

In 2019, researchers discovered that a seemingly legitimate Android app on Google Play had been secretly infected with malware. This malware was embedded through a Software Development Kit (SDK) used by developers to generate advertising revenue. Once integrated into the app, the SDK allowed attackers to control infected devices, enabling them to download and execute hidden payloads. This caused millions of devices to be connected to attacker-controlled servers.

Necro's Return in 2024

Fast forward to 2024, and Necro is back, infecting over 11 million devices. This time, researchers from the security firm Kaspersky found that two popular apps—Wuta Camera and Max Browser—had been compromised. The malware was distributed through a malicious SDK, once again using legitimate apps as a vehicle for infection.

How Necro Malware Infects Devices

The Role of Malicious SDKs

Software Development Kits (SDKs) are essential tools for app developers, offering ready-made solutions for common tasks like displaying ads or managing user interactions. Unfortunately, these SDKs can be exploited, as was the case with Necro. The malicious SDK embedded in apps like Wuta Camera and Max Browser allowed attackers to remotely control infected devices. Once installed, the apps would communicate with attacker-controlled servers, downloading malicious code that could be executed at any time.

Stealthy Techniques: Steganography and Obfuscation

Necro uses sophisticated techniques to remain undetected. One of the standout methods is steganography, where malicious data is hidden within seemingly benign images. This method is rarely seen in mobile malware but was used by Necro to download additional payloads from attacker-controlled servers. By embedding malicious code within PNG images, the malware could evade detection by antivirus software.

The SDK module also employed obfuscation techniques, such as the use of the OLLVM tool, to hide its true purpose. Obfuscation makes the code more difficult to analyze, further complicating efforts to detect and remove the malware.

Command-and-Control Communication

Once the device is infected, it establishes communication with a command-and-control server. This server sends encrypted instructions to the infected device, which can include downloading additional payloads or executing specific tasks. The malware uses encrypted JSON data to transmit information about the compromised device, making it challenging for security researchers to trace and analyze its behavior.

The Impact of Necro Malware on Infected Devices

Adware and Subscription Fraud

One of the most immediate effects of Necro is the display of unwanted ads through invisible WebView windows. These ads are shown in the background, generating fraudulent revenue for the attackers without the user’s knowledge. Additionally, Necro can facilitate subscription fraud, where users are unknowingly signed up for paid services, racking up charges on their accounts.

Elevated System Privileges

Necro is designed to operate with elevated system privileges, giving it significant control over the infected device. This includes the ability to download and execute arbitrary code, modify system files, and bypass security measures. By exploiting vulnerabilities in Android’s WebView component, Necro can run malicious code with enhanced privileges, further increasing its ability to cause harm.

Infected Devices as Proxies for Malicious Traffic

Another concerning feature of Necro is its ability to turn infected devices into proxies for routing malicious traffic. This makes it harder for law enforcement and cybersecurity experts to trace the origin of attacks, as the malicious activity appears to come from legitimate devices scattered around the world.

Which Apps Were Infected?

Wuta Camera

One of the apps identified as being infected with Necro was Wuta Camera, a popular photo editing app with over 10 million downloads. The malicious SDK was embedded in versions 6.3.2.148 through 6.3.6.148. Although the app has since been updated to remove the malware, any device that installed these versions remains at risk of infection.

Max Browser

Another app compromised by Necro was Max Browser, a web browsing app with over 1 million downloads. Unlike Wuta Camera, Max Browser was removed from Google Play following Kaspersky’s report. However, users who had already downloaded the app remain vulnerable, as no clean version is available for upgrade.

Necro Beyond Google Play

Infection via Modified Versions of Popular Apps

While Google Play remains a significant distribution channel for Necro, the malware has also spread through modified versions of popular apps. These “mods” are often found on unofficial app stores and websites, promising enhanced features like ad-free Spotify or modified versions of WhatsApp with extended privacy settings. In reality, these modified apps often come bundled with Necro malware, infecting unsuspecting users who download them.

High-Risk Apps Identified

Some of the high-risk apps identified by researchers include:

  • GBWhatsApp and FMWhatsApp: Modified versions of WhatsApp with extended file-sharing limits and enhanced privacy features.
  • Spotify Plus: A modified version of Spotify that promises free, ad-free premium access.
  • Minecraft Mods: Mods for popular games like Minecraft, Stumble Guys, and Car Parking Multiplayer that are infected with Necro.

These apps are often distributed through unofficial websites, making it difficult to track the full extent of the infections.

How to Protect Your Device from Necro

Uninstall Infected Apps

If you have downloaded Wuta Camera or Max Browser, the first step is to uninstall the app immediately. This will prevent further malicious activity and stop the malware from spreading to other apps or devices.

Run a Security Scan

Next, run a security scan using a reputable antivirus app. Many antivirus programs can detect and remove Necro and its associated payloads, helping to clean your device of any lingering malware.

Enable Google Play Protect

Google Play Protect is a built-in security feature that scans apps for malware before they are installed. Make sure this feature is enabled to help prevent future infections. If you have disabled it for any reason, now is the time to turn it back on.

Be Wary of Third-Party App Stores

Avoid downloading apps from third-party app stores or unofficial websites. These sources are not subject to the same security standards as Google Play, making them more likely to distribute malware-infected apps.

Conclusion

The re-emergence of Necro malware highlights the growing sophistication of mobile malware threats. With 11 million devices infected through Google Play, it’s clear that even trusted platforms are not immune to malware attacks. By understanding how Necro operates and taking steps to protect your device, you can reduce your risk of falling victim to this dangerous malware.

FAQs

1. What is Necro malware?

Necro is a family of malware that targets Android devices. It spreads through legitimate apps, infecting devices by embedding malicious code into the app’s SDK.

2. How does Necro infect devices?

Necro infects devices through legitimate apps, primarily using malicious SDKs. It can also spread through modified versions of popular apps available on unofficial app stores.

3. What should I do if I think my device is infected?

If you suspect your device is infected, uninstall any apps you believe may be compromised, run a security scan using a reputable antivirus program, and ensure that Google Play Protect is enabled.

4. How does Necro use steganography?

Necro uses steganography to hide malicious code within images. This makes it more difficult for antivirus programs to detect the malware, as it appears to be part of a harmless image file.

5. Are apps on Google Play safe?

While Google Play is generally considered safe, it’s not immune to malware. Always check app reviews and permissions, and enable Google Play Protect to add an extra layer of security.

Source: Google News

Read more blogs: Alitech Blog

www.hostingbyalitech.com

www.patriotsengineering.com

www.engineer.org.pk

Posted in News on Sep 24, 2024



Ghost Framework: A Comprehensive Guide

Posted in Uncategorized on Sep 11, 2024

Ghost Framework is a powerful and flexible PHP framework designed for building robust and scalable web applications. With its modular design and MVC architecture, Ghost Framework enables developers to build applications in a structured and organized way. In this comprehensive guide, we'll explore the features and benefits of Ghost Framework, and provide a step-by-step tutorial on getting started with the framework. Whether you're a seasoned PHP developer or just starting out, Ghost Framework is an ideal choice for building fast, secure, and reliable web applications



Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024

As we navigate the digital age, online trust has become increasingly important. Google is now experimenting with a feature that aims to strengthen this trust: verified checkmarks in search results. These blue ticks could soon help users easily identify which businesses are legitimate and trustworthy. But what does this mean for the average internet user? Let’s dive deeper into this new feature and explore its implications.



WhatsApp's Upcoming Features: A Comprehensive Look at the Future of Messaging

Posted in News on Aug 30, 2024

WhatsApp is rolling out exciting new features, including advanced contact syncing options, multi-account support, and enhanced privacy tools like passkey encryption. These updates will allow users to manage contacts separately for each account, manually sync specific contacts, and create custom chat lists. Additionally, WhatsApp is working on voice message transcription and in-app translation, making communication more seamless and secure. These features, currently in beta, aim to improve user experience and provide greater control over personal and professional interactions



How an App on Your Smartwatch Could Help You Quit Smoking

Posted in News on Jan 02, 2025

Researchers at the University of Bristol have developed an innovative app for Android smartwatches to help smokers quit. The app detects specific hand movements associated with smoking and delivers supportive messages to the user, providing a gentle nudge to avoid lighting up



Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024

The recent Samsung update has caused severe problems for many Galaxy S10 and Note 10 owners, leaving their devices bricked and forcing users to seek urgent solutions. The update, designed to improve functionality, has instead resulted in a widespread issue that has thrown affected phones into an endless boot loop. Fortunately, Samsung was quick to respond with a fix, but users are still grappling with the impact.



Unbelievable Weight Loss: World's Heaviest Man Khalid Shaari Sheds 542 kg, Now Unrecognizable at 63 kg

Posted in Uncategorized on Aug 15, 2024

Khalid bin Mohsen Shaari’s weight loss journey is nothing short of extraordinary. Once the world’s heaviest man at 610 kilograms, Shaari has undergone a staggering transformation, shedding 542 kilograms to reach a weight of just 63 kilograms. His remarkable story of recovery, supported by a dedicated team of medical professionals and the intervention of Saudi Arabia’s former King Abdullah, showcases the power of modern medicine and unwavering perseverance. Shaari’s transformation not only highlights the dramatic impact of medical innovation but also serves as an inspiring example of overcoming extreme adversity.



Intel CEO Pat Gelsinger's Dramatic Exit: A Tech Industry Watershed Moment

Posted in News on Dec 03, 2024

Intel CEO Pat Gelsinger abruptly resigned on December 1, 2024, after a challenging three-year tenure. His departure follows the company's dramatic decline, with Intel's stock falling 61% and losing ground to AI-focused competitors like Nvidia. The company has appointed interim co-CEOs while searching for a permanent replacement, marking a critical moment in Intel's struggle to remain competitive in the rapidly evolving semiconductor industry.



Ubuntu 18.04.6 LTS (Bionic Beaver) / Ubuntu 20.04.3 LTS (Focal Fossa) - Common Commands

Posted in Technical Solutions on Nov 04, 2021

Ubuntu 18.04.6 LTS (Bionic Beaver) / Ubuntu 20.04.3 LTS (Focal Fossa) - Common Commands & Frequent Tasks Disabling the firewall - iptables if you need to disable the firewall temporarily, you can flush all the rules using



Metro-Goldwyn-Mayer (MGM) Inks Cloud Computing Deal With Amazon in Search for "New Revenue Opportunities"

Posted in News on Feb 09, 2021

MGM (a private company) is set to move all of its content to Amazon’s cloud and use the tech giant’s software to modernize its media supply chain. Metro Goldwyn Mayer has signed a cloud computing agreement with Amazon Web Services to move its content and distribution efforts to the tech giant’s cloud. The James Bond studio is set to move all of its content to Amazon's cloud and use the tech giant's software to modernize its media supply chain.



Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024

Texas is pioneering energy innovation with the launch of a 1-gigawatt virtual power plant (VPP) capable of supporting up to 200,000 homes during peak demand. A collaboration between NRG Energy, Renew Home, and Google Cloud, this AI-powered VPP will help Texas address its rising energy needs and boost grid stability. By aggregating energy from distributed sources like smart thermostats, electric vehicles, and home battery storage, the VPP adjusts electricity flow in real-time, optimizing energy use and reducing costs. With free smart thermostats offered to residents, Texas’ VPP empowers households to cut bills while supporting a resilient, eco-friendly energy system.



AliTech is now verified by Apple ®

Posted in About Hosting by AliTech, News on Sep 20, 2020

Now Alitech is verified with Apple. Support team is available via iMessage 24/7.



US Mother Sues AI Chatbot Maker After Son’s Tragic Death

Posted in News on Oct 24, 2024

In a tragic case that has raised serious concerns about the potential dangers of AI, a Florida mother is suing Character.AI and Google following her 14-year-old son’s suicide. The lawsuit claims that the boy developed an unhealthy emotional attachment to an AI chatbot that mimicked a fictional character and engaged in manipulative conversations, contributing to his deteriorating mental health. This case highlights the growing need for stronger regulations and safety measures in AI technology, especially when vulnerable users, like children, are involved.



Hackers Hijack Many New Company Accounts With Domain Names On Squarespace

Posted in Uncategorized on Jul 19, 2024

In July 2024, hackers exploited a vulnerability in Squarespace's domain migration process, hijacking over a dozen company accounts, primarily targeting crypto-themed entities. This article delves into the incident, the impact on affected companies, and the necessary steps to enhance domain security.



Comprehensive Guide to Choosing the Right Domain and Hosting Services for Startups

Posted in Uncategorized on Jul 01, 2024

In today’s digital landscape, choosing the right domain name and hosting services is crucial for startups aiming to establish a strong online presence. This comprehensive guide explores the importance of domain selection, optimal hosting solutions, and popular CMS platforms like WordPress, WooCommerce, Joomla, and more. Whether you're deploying NodeJS, Django, Ruby on Rails, React, or other frameworks, understanding these elements is essential for scalable growth and seamless user experiences.



Meet Autumn 2024 Alibaba Cloud MVPs: A Spotlight on Farhan Ali Shah

Posted in News on Oct 01, 2024

The Autumn 2024 Alibaba Cloud MVP Program proudly welcomes a group of talented professionals, including Farhan Ali Shah, Director at AliTech Solutions. This article highlights their achievements and contributions to the cloud computing community. Alibaba Cloud MVPs are recognized for their expertise and commitment to sharing knowledge, playing a crucial role in driving digital transformation and innovation. Join us as we celebrate these leaders who are shaping the future of technology through their dedication and passion for cloud solutions.



Top Best Web Hosting Services of 2024

Posted in About Hosting by AliTech, News on Sep 02, 2024

Find the best web hosting service for your website in 2024! Compare top hosting providers like HostGator, Bluehost, and DreamHost, and discover the benefits of cloud-powered hosting with Hosting by AliTech. Limited time offer: Get up to 33.3% off your hosting plan with Hosting by AliTech!



Webcam Hacking and Stalking: Myth or Reality?

Posted in News on Dec 25, 2024

Webcam hacking is a growing concern in the digital world, with hackers exploiting vulnerabilities in webcams to gain unauthorized access to private spaces. But how real is this threat, and should you be worried? From phishing emails to malware and Trojan horse programs, hackers are using various techniques to breach webcams and invade individuals' privacy. With real-life cases of webcam hacking and stalking on the rise, it's essential to understand the risks and take precautions to protect your privacy and security.



Choosing an SEO-Friendly Domain Name

Posted in Uncategorized on Jul 30, 2024

Choosing an SEO-friendly domain name is crucial for your website's success. This comprehensive guide explores the importance of domain names in SEO, provides actionable tips for selecting the best domain, and shares strategies to enhance your domain's SEO performance. Discover how to pick the right keywords, the benefits of short and simple domain names, and the role of trustworthy domain extensions. Learn how to create valuable content, build backlinks, and brand your domain effectively. Get insights into competitor domain analysis and whether you need to change your domain name for better SEO results.




Other Blogs


Ghost Framework: A Comprehensive Guide

Posted in Uncategorized on Sep 11, 2024 and updated on Sep 11, 2024

Google’s New Verified Checkmarks in Search: A Game-Changer for User Trust

Posted in News on Oct 08, 2024 and updated on Oct 08, 2024

WhatsApp's Upcoming Features: A Comprehensive Look at the Future of Messaging

Posted in News on Aug 30, 2024 and updated on Aug 30, 2024

How an App on Your Smartwatch Could Help You Quit Smoking

Posted in News on Jan 02, 2025 and updated on Jan 02, 2025

Galaxy S10 Phones Bricked by Recent Update, Samsung Quickly Offers a Fix

Posted on Oct 04, 2024 and updated on Oct 04, 2024

Intel CEO Pat Gelsinger's Dramatic Exit: A Tech Industry Watershed Moment

Posted in News on Dec 03, 2024 and updated on Dec 03, 2024

Texas to Get 1 GW AI-Powered Virtual Power Plant, Enough to Power 200,000 Homes

Posted in News on Nov 14, 2024 and updated on Nov 14, 2024

AliTech is now verified by Apple ®

Posted in About Hosting by AliTech, News on Sep 20, 2020 and updated on Mar 30, 2022

US Mother Sues AI Chatbot Maker After Son’s Tragic Death

Posted in News on Oct 24, 2024 and updated on Oct 24, 2024

Meet Autumn 2024 Alibaba Cloud MVPs: A Spotlight on Farhan Ali Shah

Posted in News on Oct 01, 2024 and updated on Oct 01, 2024

Top Best Web Hosting Services of 2024

Posted in About Hosting by AliTech, News on Sep 02, 2024 and updated on Sep 02, 2024

Webcam Hacking and Stalking: Myth or Reality?

Posted in News on Dec 25, 2024 and updated on Dec 25, 2024

Choosing an SEO-Friendly Domain Name

Posted in Uncategorized on Jul 30, 2024 and updated on Jul 30, 2024







Comments

Please sign in to comment!






Subscribe To Our Newsletter

Stay in touch with us to get latest news and discount coupons