The Necro trojan was first discovered in the year 2019 but it looks like it’s still working its way into apps. Two popular platforms on Google Play with a combined total of 11M downloads were said to be infected by this trojan.
Thanks to a new report by Kaspersky which shed more light on the matter, the multi-stage loader is back after infecting the popular CamScanner. During that time it was first identified, it was said to infect millions of devices.
This is why experts are now raising the alarm about how it’s making the rounds again and infecting more apps on Google Play. This includes games found through unofficial sources.
One of the platforms called Wuta Camera was installed more than 10M times. Another platform called Max Browser has more than 1M downloads from the app store. Meanwhile, the infected variants of both apps were both confirmed as being deleted by Google, report confirmed.
The Wuta Camera was downloaded nearly 10M times and then another called Max Browser has close to 1M downloads from the official app store. These infected variants of both platforms were deleted from the Play Store.
The malware was said to be hiding inside unofficial mods for apps such as WhatsApp and Spotify. It was also alarming to see it inside Minecraft, Car Parking, Stumble Guys, and Melon Sandbox games.
The form explained how its presence inside apps arriving through different sources could be explained through untrusted solutions for advertisement additions, thanks to the developers of these platforms.
The infected Spotify mod featured an SDK for incorporating several ad modules and one that sent C&C server and receiver payloads hidden inside pictures.
On the other hand, the loader inside the infected WhatsApp mod made use of other cloud services such as those seen on Google’s Firebase Remote config.
In both situations, the victim’s devices are infected with trojans featuring all kinds of characteristics linked to the Necro family and similar options for payload structures.
The one that was recently highlighted by Kaspersky can install modules on infected devices that portray ads across invisible windows. Similarly, it can install execution files and download third-party apps.
Other features that the malware is capable of include subscriptions to paid services through proxies.
Read next: Cloudflare Rolls Out New Set of AI Tools That Stops Unauthorized Scraping By AI Crawlers
Thanks to a new report by Kaspersky which shed more light on the matter, the multi-stage loader is back after infecting the popular CamScanner. During that time it was first identified, it was said to infect millions of devices.
This is why experts are now raising the alarm about how it’s making the rounds again and infecting more apps on Google Play. This includes games found through unofficial sources.
One of the platforms called Wuta Camera was installed more than 10M times. Another platform called Max Browser has more than 1M downloads from the app store. Meanwhile, the infected variants of both apps were both confirmed as being deleted by Google, report confirmed.
The Wuta Camera was downloaded nearly 10M times and then another called Max Browser has close to 1M downloads from the official app store. These infected variants of both platforms were deleted from the Play Store.
The malware was said to be hiding inside unofficial mods for apps such as WhatsApp and Spotify. It was also alarming to see it inside Minecraft, Car Parking, Stumble Guys, and Melon Sandbox games.
The form explained how its presence inside apps arriving through different sources could be explained through untrusted solutions for advertisement additions, thanks to the developers of these platforms.
The infected Spotify mod featured an SDK for incorporating several ad modules and one that sent C&C server and receiver payloads hidden inside pictures.
On the other hand, the loader inside the infected WhatsApp mod made use of other cloud services such as those seen on Google’s Firebase Remote config.
In both situations, the victim’s devices are infected with trojans featuring all kinds of characteristics linked to the Necro family and similar options for payload structures.
The one that was recently highlighted by Kaspersky can install modules on infected devices that portray ads across invisible windows. Similarly, it can install execution files and download third-party apps.
Other features that the malware is capable of include subscriptions to paid services through proxies.
Read next: Cloudflare Rolls Out New Set of AI Tools That Stops Unauthorized Scraping By AI Crawlers
