InfoSecBulletin Cybersecurity for mankind
Kaspersky security researchers discovered a new version of the Necro malware that has infected over 11 million devices via Google Play and unofficial app sources. This complex multi-stage loader uses advanced methods such as steganography and obfuscation to avoid detection, demonstrating the increasing threats in mobile security.
The Necro Trojan has returned with improved capabilities, infiltrating Android devices via legitimate apps on Google Play and altered versions of popular apps from unofficial sources.
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
CVE-2023-39780
Botnet hacks thousands of ASUS routers
Bangladesh Bank instructed using AI to prevent online gambling
251 Amazon-Hosted IPs Used in Exploit Scan for ColdFusion, Struts, and Elasticsearch
On Google Play, two apps were identified as carriers of the Necro loader:
Wuta Camera: Benqu’s photo editing tool, with over 10 million downloads, contained malware in versions 6.3.2.148 to 6.3.6.148. Although Google removed the malicious code in version 6.3.7.138, users of earlier versions may still be vulnerable.
Max Browser: Launched by “WA message recover-wamr,” this web browser reached 1 million downloads before being removed from Google Play. Kaspersky warns that the latest version, 1.2.0, still has the Necro loader and recommends users uninstall it right away.
The infection in these legitimate apps was caused by a malicious advertising SDK called “Coral SDK.” It used obfuscation to hide its actions and steganography to download harmful files disguised as regular PNG images.
Necro has spread through modified versions of popular apps, called “mods,” which offer extra features and premium access. These unofficial versions are found on third-party websites. Notable examples include:
WhatsApp mods: “GBWhatsApp” and “FMWhatsApp,” offering improved privacy controls and extended file-sharing capabilities.
Spotify mod: “Spotify Plus,” claiming to provide free access to premium, ad-free services.
Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Kaspersky’s data shows that from August 26 to September 15, 2024, their security solutions blocked over 10,000 Necro attacks worldwide, with the most incidents occurring in Russia, Brazil, and Vietnam.
The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:
Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. Android users should stay updated on potential threats and secure their devices.
