InfoSecBulletin Cybersecurity for mankind
Kaspersky security researchers discovered a new version of the Necro malware that has infected over 11 million devices via Google Play and unofficial app sources. This complex multi-stage loader uses advanced methods such as steganography and obfuscation to avoid detection, demonstrating the increasing threats in mobile security.
The Necro Trojan has returned with improved capabilities, infiltrating Android devices via legitimate apps on Google Play and altered versions of popular apps from unofficial sources.
CISA Flags Craft CMS Code Injection Flaw Amid Active Attacks
B1ack’s Stash Releases 1 Million Credit Cards on a Deep Web Forum
Cisco Confirms
Salt Typhoon Exploited CVE-2018-0171 to Target U.S. Telecom Networks
AWS Key Hunter
Test this free automated tool to hunt for exposed AWS secrets
Check Point Flaw Used to Deploy ShadowPad and Ransomware
CVE-2024-12284
Citrix Issues Security Update for NetScaler Console
CISA and FBI ALERT
Ghost ransomware to breach organizations in 70 countries
Hacker chains multiple vulns to attack Palo Alto Firewall
150 Gov.t Portal affected
Black-Hat SEO Poisoning Indian “.gov.in, .ac.in” domain
CVE-2018-19410 Exposes 600 PRTG Instances in Bangladesh
On Google Play, two apps were identified as carriers of the Necro loader:
Wuta Camera: Benqu’s photo editing tool, with over 10 million downloads, contained malware in versions 6.3.2.148 to 6.3.6.148. Although Google removed the malicious code in version 6.3.7.138, users of earlier versions may still be vulnerable.
Max Browser: Launched by “WA message recover-wamr,” this web browser reached 1 million downloads before being removed from Google Play. Kaspersky warns that the latest version, 1.2.0, still has the Necro loader and recommends users uninstall it right away.
The infection in these legitimate apps was caused by a malicious advertising SDK called “Coral SDK.” It used obfuscation to hide its actions and steganography to download harmful files disguised as regular PNG images.
Necro has spread through modified versions of popular apps, called “mods,” which offer extra features and premium access. These unofficial versions are found on third-party websites. Notable examples include:
WhatsApp mods: “GBWhatsApp” and “FMWhatsApp,” offering improved privacy controls and extended file-sharing capabilities.
Spotify mod: “Spotify Plus,” claiming to provide free access to premium, ad-free services.
Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Kaspersky’s data shows that from August 26 to September 15, 2024, their security solutions blocked over 10,000 Necro attacks worldwide, with the most incidents occurring in Russia, Brazil, and Vietnam.
The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:
Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. Android users should stay updated on potential threats and secure their devices.
