SECURITY
SECURITY
SECURITY
Necro malware infects 11M+ Android devices via Google Play apps
A new version of Necro malware, a form of malware that first emerged in 2019, has been found to have been installed on at least 11 million devices through apps that were distributed through the Google Play store.
Discovered by researchers at Kaspersky Lab Inc., the malware was installed on Android devices through malicious advertising software development kits used by apps on Google Play, along with game modifications and modified versions of popular applications and games available through unofficial app stores.
One of the infected apps, called Wuta Camera, was downloaded more than 10 million times from Google Play. Another app, Max Browser, had more than 1 million downloads from Google’s official store. Both of the infected versions of the apps have since been removed by Google.
In both cases, the apps are said by the Kaspersky researchers to have been infected by an advertising SDK called “Coral SDK” that used obfuscation techniques to hide its malicious activities. For the second-stage payload, the malware then uses image steganography through “shellPlugin” disguised as a harmless image.
Once an Android device is infected, the malware then displays ads in invisible windows and then clicks on them, downloads executable files, installs third-party applications and opens arbitrary links in invisible windows to executive Javascript. The malware can also subscribe users to paid services without their knowledge and redirect internet traffic through infected devices, using them as proxies.
Katie Teitler-Santullo, cybersecurity strategist at application security posture management company OX Appsec Security Ltd., told SiliconANGLE via email that “while users have no control over what SDKs are used in apps, developers of the apps can, indeed, check to make sure the SDK hasn’t been tampered with.”
“For instance, developers should check to see if the SDK has been signed with a valid certificate and comes from a trusted source,” Teitler-Santullo said. “Scanning source code for malicious content and unauthorized access helps developers identify whether the code has been altered or is vulnerable to exploit.”
She added that “it’s always best practice for AppSec teams to conduct various other types of scanning including SAST, DAST, dependency and vulnerability, both to find issues before apps are deployed and during runtime.”
Image: SiliconANGLE/Ideogram
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
