A new variant of the Necro malware loader has infected over 11 million Android devices through malicious software development kits (SDK) embedded in legitimate apps and modified versions of popular software. The Necro Trojan, discovered by Kaspersky, infiltrated devices through compromised apps on Google Play, including Wuta Camera and Max Browser, as well as through unofficial app mods, raising concerns over Android device security.
In a large-scale malware attack, a new version of the Necro Trojan was installed on more than 11 million Android devices via a supply chain attack involving malicious SDKs. This malware was embedded within legitimate apps and unofficial modified versions of popular software, spreading widely across Google Play and third-party platforms.
Kaspersky researchers identified that the Trojan infiltrated legitimate apps like Wuta Camera and Max Browser by integrating itself through advertising SDKs such as 'Coral SDK.' The malware exploited advanced techniques like obfuscation and image steganography to deliver its malicious payload, including adware, subscription fraud tools and modules that allow remote code execution. Once infected, devices were used to display hidden ads, route malicious traffic and install unwanted applications without the user's knowledge.
The Wuta Camera app, with over 10 million downloads, was found to be infected between versions 6.3.2.148 and 6.3.6.148, with the Necro Trojan removed only in version 6.3.7.138. However, any devices using older versions of the app remain compromised. Similarly, the Max Browser app, which had 1 million downloads, was removed from Google Play entirely after it was discovered to still carry the malware in its latest version, 1.2.0.
Outside official app stores, the Necro Trojan was primarily distributed through modified versions of popular apps like WhatsApp and Spotify, as well as game mods for titles such as Minecraft and Stumble Guys. These mods, available on unofficial websites, facilitated the spread of the malware by promising users enhanced functionality and premium features. Once installed, the malware operated covertly in the background, generating fraudulent revenue by interacting with paid services and displaying hidden ads.
Google responded to Kaspersky’s report by stating that they are investigating the malicious apps found on Google Play. Security researchers recommend that users immediately uninstall infected versions of apps and avoid downloading software from unofficial sources. The Necro Trojan continues to pose a threat to Android users, particularly through supply chain attacks that compromise legitimate apps.