InfoSecBulletin Cybersecurity for mankind
Kaspersky security researchers discovered a new version of the Necro malware that has infected over 11 million devices via Google Play and unofficial app sources. This complex multi-stage loader uses advanced methods such as steganography and obfuscation to avoid detection, demonstrating the increasing threats in mobile security.
The Necro Trojan has returned with improved capabilities, infiltrating Android devices via legitimate apps on Google Play and altered versions of popular apps from unofficial sources.
Hackers Bypass Gmail MFA With App-Specific Password Reuse
Russia detects first SuperCard malware attacks via NFC
Income Property Investments exposes 170,000+ Individuals record
ALERT (CVE: 2023-28771)
Zyxel Firewalls Under Attack via CVE-2023-28771 by 244 IPs
CISA Flags Active Exploits in Apple iOS and TP-Link Routers
10K Records Allegedly from Mac Cloud Provider’s Customers Leaked Online
Canada 2nd largest airlines “WestJet” investigates cyberattack disrupting internal systems
Paraguay 7.4 Million Citizen Records Leaked on Dark Web
High-Severity Flaw in HashiCorp Nomad Allows Privilege Escalation
SoftBank: Over 137,000 personal info leaked
On Google Play, two apps were identified as carriers of the Necro loader:
Wuta Camera: Benqu’s photo editing tool, with over 10 million downloads, contained malware in versions 6.3.2.148 to 6.3.6.148. Although Google removed the malicious code in version 6.3.7.138, users of earlier versions may still be vulnerable.
Max Browser: Launched by “WA message recover-wamr,” this web browser reached 1 million downloads before being removed from Google Play. Kaspersky warns that the latest version, 1.2.0, still has the Necro loader and recommends users uninstall it right away.
The infection in these legitimate apps was caused by a malicious advertising SDK called “Coral SDK.” It used obfuscation to hide its actions and steganography to download harmful files disguised as regular PNG images.
Necro has spread through modified versions of popular apps, called “mods,” which offer extra features and premium access. These unofficial versions are found on third-party websites. Notable examples include:
WhatsApp mods: “GBWhatsApp” and “FMWhatsApp,” offering improved privacy controls and extended file-sharing capabilities.
Spotify mod: “Spotify Plus,” claiming to provide free access to premium, ad-free services.
Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Kaspersky’s data shows that from August 26 to September 15, 2024, their security solutions blocked over 10,000 Necro attacks worldwide, with the most incidents occurring in Russia, Brazil, and Vietnam.
The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:
Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. Android users should stay updated on potential threats and secure their devices.
