This Android Malware Has Infected More Than 11 Million Devices
From time to time , we hear about malicious Android apps making their way into the Play Store . However, the most recent discovery involves two Play Store apps containing a malicious Trojan that has affected more than 11 million Android devices. The same malware was found in unofficial applications, which means the number of victims here is most likely much higher.
Kaspersky Lab researchers have discovered a new version of the Necro Trojan, which attacks users from two sources: on the one hand, the Necro Trojan is distributed through legal applications distributed in the Google Play store. On the other hand, the attackers inserted their Trojan into modified applications, such as custom versions of Spotify and Minecraft, which users downloaded through unofficial means – otherwise known as sideloading.
Modified Applications
Kaspersky first investigated a modified Spotify app called Spotify Plus, which was advertised as a free offering of Spotify Premium features. Although the app claimed to be “security tested”, Kaspersky Lab’s analysis found that these claims were false and that the app allowed the Trojan to infect these devices. Researchers also discovered a Trojan in modified versions of WhatsApp – GBWhatsApp and FMWhatsApp.
Additionally, Kaspersky claims to have found Necro in a series of game mods. These include Minecraft, Stumble Guys, a multiplayer parking game, and Melon Sandbox.
Kaspersky emphasizes that it is impossible to say from these unofficial sources how many victims there are. All we can count is the number of downloads of the affected apps on the Play Store.
Applications from the Play Store
Of all the affected apps detected by Kaspersky on the Google Play Store, the Necro Trojan was found to have infected more than 11 million Android devices. The largest app in the series to date is the Wuta Camera app, which Kaspersky says has been downloaded more than 10 million times. The application was not always malicious: researchers claim that the Trojan first appeared in version 6.3.2.148 of the application. It has since been removed, so the app is now safe to download.
Max Browser also contained a Trojan and was downloaded over a million times. The first version of this application to contain a Trojan was version 1.2.0, but after Kaspersky reported the application, Google completely removed Max Browser from its app store.
What does Necro do?
The Necro malware installed on your device can perform a number of functions. As explained by BleepingComputer , Necro payloads can activate malicious plugins to launch adware that opens links with invisible windows; programs that run various scripts; programs for activating fraudulent subscriptions; and tools that route malicious traffic through your device.
Essentially, your unofficial app download, or official download in the case of Max Browser and Wuta Camera, makes money for the attackers as you unintentionally open ads and run fraudulent subscriptions in the background.
How to protect your device
The first thing you need to do is scan your Android phone for any of the Play Store apps mentioned above. If you have Wuta Camera, be sure to update the app immediately or delete it from your phone. If you have Max Browser installed, uninstall it: there is no safe version of this application.
Also, uninstall any modified apps mentioned in this article if you have them installed on your smartphone and be vigilant about unofficial downloads. Sideloading apps certainly opens up more apps than are contained in the Play Store, but since there are fewer checks and rules, you run the risk of downloading something malicious.