InfoSecBulletin Cybersecurity for mankind
Kaspersky security researchers discovered a new version of the Necro malware that has infected over 11 million devices via Google Play and unofficial app sources. This complex multi-stage loader uses advanced methods such as steganography and obfuscation to avoid detection, demonstrating the increasing threats in mobile security.
The Necro Trojan has returned with improved capabilities, infiltrating Android devices via legitimate apps on Google Play and altered versions of popular apps from unofficial sources.
Meta fined $101 million for storing passwords in plaintext
Microsoft warns Storm-0501 targets hybrid cloud environments
RCE flaw impacts all GNU/Linux System: Details Revealed
Octo2: European Banks Already Under Attack by New Malware varient
CISA Releases Guideline mitigating Active Directory compromise
G7 cyber group warns to prep for quantum computing risks
Cloudflare report
India linked hacker to target Bangladeshi Gov.t and law agency
India launches first Al-powered network solution for spam detection
White Snake to Steal Credit Cards CVC Codes from Chrome
Kaspersky Automatically Replaces With UltraAV, Raising Concerns
On Google Play, two apps were identified as carriers of the Necro loader:
Wuta Camera: Benqu’s photo editing tool, with over 10 million downloads, contained malware in versions 6.3.2.148 to 6.3.6.148. Although Google removed the malicious code in version 6.3.7.138, users of earlier versions may still be vulnerable.
Max Browser: Launched by “WA message recover-wamr,” this web browser reached 1 million downloads before being removed from Google Play. Kaspersky warns that the latest version, 1.2.0, still has the Necro loader and recommends users uninstall it right away.
The infection in these legitimate apps was caused by a malicious advertising SDK called “Coral SDK.” It used obfuscation to hide its actions and steganography to download harmful files disguised as regular PNG images.
Necro has spread through modified versions of popular apps, called “mods,” which offer extra features and premium access. These unofficial versions are found on third-party websites. Notable examples include:
WhatsApp mods: “GBWhatsApp” and “FMWhatsApp,” offering improved privacy controls and extended file-sharing capabilities.
Spotify mod: “Spotify Plus,” claiming to provide free access to premium, ad-free services.
Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Kaspersky’s data shows that from August 26 to September 15, 2024, their security solutions blocked over 10,000 Necro attacks worldwide, with the most incidents occurring in Russia, Brazil, and Vietnam.
The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:
Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. Android users should stay updated on potential threats and secure their devices.
