InfoSecBulletin Cybersecurity for mankind
Kaspersky security researchers discovered a new version of the Necro malware that has infected over 11 million devices via Google Play and unofficial app sources. This complex multi-stage loader uses advanced methods such as steganography and obfuscation to avoid detection, demonstrating the increasing threats in mobile security.
The Necro Trojan has returned with improved capabilities, infiltrating Android devices via legitimate apps on Google Play and altered versions of popular apps from unofficial sources.
NVIDIA Releases Security Update For GPU Driver Vulnerabilities
‘SessionShark’ ToolKit Bypasses Microsoft Office 365 MFA
159 CVEs Exploited in Q1 2025 : 28.3% Within 24 Hours of Disclosure
NVIDIA NeMo Framework Vuln Allow Attackers RCE
Cisco Issued Urgent Security Advisories For Multiple Products
SonicWall patched SSLVPN Vuln Allowing Firewall Crashing
GitLab Releases Security Update For Multiple Vulns
ISPAB president “whatsapp” got hacked via phishing link
Zyxel released patches 2 vulns in its USG FLEX H series firewalls
South Korea’s largest SK Telecom Hit by Malware: SIM-related info leaked
On Google Play, two apps were identified as carriers of the Necro loader:
Wuta Camera: Benqu’s photo editing tool, with over 10 million downloads, contained malware in versions 6.3.2.148 to 6.3.6.148. Although Google removed the malicious code in version 6.3.7.138, users of earlier versions may still be vulnerable.
Max Browser: Launched by “WA message recover-wamr,” this web browser reached 1 million downloads before being removed from Google Play. Kaspersky warns that the latest version, 1.2.0, still has the Necro loader and recommends users uninstall it right away.
The infection in these legitimate apps was caused by a malicious advertising SDK called “Coral SDK.” It used obfuscation to hide its actions and steganography to download harmful files disguised as regular PNG images.
Necro has spread through modified versions of popular apps, called “mods,” which offer extra features and premium access. These unofficial versions are found on third-party websites. Notable examples include:
WhatsApp mods: “GBWhatsApp” and “FMWhatsApp,” offering improved privacy controls and extended file-sharing capabilities.
Spotify mod: “Spotify Plus,” claiming to provide free access to premium, ad-free services.
Game mods: Modified versions of Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox.
Kaspersky’s data shows that from August 26 to September 15, 2024, their security solutions blocked over 10,000 Necro attacks worldwide, with the most incidents occurring in Russia, Brazil, and Vietnam.
The widespread infection and sophisticated techniques employed by Necro underscore the importance of vigilant cybersecurity practices for Android users. To protect against this and similar threats, experts recommend:
Google has acknowledged the reports about the infected apps and stated that they are investigating the matter. Android users should stay updated on potential threats and secure their devices.
