Infected Applications and Their Impact
A new iteration of Necro malware, which first surfaced in 2019, has recently been identified on at least 11 million devices. This alarming discovery was made by researchers at Kaspersky Lab Inc., who found that the malware infiltrated Android devices via applications distributed through the Google Play store. The infiltration occurred through malicious advertising software development kits embedded in various apps, as well as through game modifications and altered versions of popular applications available in unofficial app stores.
Among the compromised applications was Wuta Camera, which has been downloaded over 10 million times from Google Play. Another affected app, Max Browser, boasted more than 1 million downloads. Both applications have since been removed from the platform by Google. Kaspersky’s research indicates that these apps were infected through an advertising SDK known as “Coral SDK,” which employed obfuscation techniques to conceal its malicious activities.
The malware’s second-stage payload utilizes image steganography through a component called “shellPlugin,” masquerading as an innocuous image. Once an Android device falls victim to the malware, it engages in a series of covert activities: displaying ads in invisible windows, automatically clicking on them, downloading executable files, installing third-party applications, and opening arbitrary links in hidden windows to execute JavaScript. The malware also has the capability to subscribe users to paid services without their consent and reroute internet traffic through the infected devices, effectively using them as proxies.
Expert Insights on Prevention
Katie Teitler-Santullo, a cybersecurity strategist at OX Appsec Security Ltd., emphasized the importance of vigilance among app developers. In an email to SiliconANGLE, she noted, “While users have no control over what SDKs are used in apps, developers can indeed verify that the SDK hasn’t been tampered with.”
Teitler-Santullo advised developers to ensure that SDKs are signed with valid certificates and sourced from trusted providers. She also highlighted the necessity of scanning source code for malicious content and unauthorized access, which can help identify whether the code has been altered or is susceptible to exploitation. “It’s always best practice for AppSec teams to conduct various types of scanning, including SAST, DAST, dependency, and vulnerability assessments, both to uncover issues prior to deployment and during runtime,” she added.