Emerging Threats in Mobile Security
In a concerning development for mobile security, altered versions of well-known Android applications linked to popular platforms such as Spotify, WhatsApp, and Minecraft have been identified as vehicles for a new iteration of the notorious malware loader, Necro. Kaspersky has reported that some of these malicious applications were available on the Google Play Store, amassing a staggering 11 million downloads collectively.
- Wuta Camera – Nice Shot Always (com.benqu.wuta) – 10+ million downloads
- Max Browser – Private & Security (com.max.browser) – 1+ million downloads
As of now, Max Browser has been removed from the Play Store, while Wuta Camera has undergone an update (version 6.3.7.138) aimed at eliminating the malware. The latest iteration, version 6.3.8.148, was released on September 8, 2024.
The precise method by which these applications were compromised remains unclear, although it is suspected that a rogue software development kit (SDK) designed for integrating advertising capabilities may be to blame. Necro, which should not be confused with a similarly named botnet, was first uncovered by Kaspersky in 2019, hidden within a widely used document scanning app called CamScanner. The developers of CamScanner attributed the issue to an advertisement SDK from a third-party provider, AdHub, which contained a malicious module capable of retrieving subsequent malware from a remote server, effectively acting as a loader.
The latest version of Necro continues this trend, employing advanced obfuscation techniques to evade detection, particularly through the use of steganography to conceal its payloads. According to Kaspersky researcher Dmitry Kalinin, “The downloaded payloads, among other things, could display ads in invisible windows and interact with them, download and execute arbitrary DEX files, install applications it downloaded.” Furthermore, it can “open arbitrary links in invisible WebView windows and execute any JavaScript code in those, run a tunnel through the victim’s device, and potentially subscribe to paid services.”
One of the primary methods of distributing Necro is through modified versions of popular applications and games found on unofficial websites and app stores. Upon installation, these applications initialize a module known as Coral SDK, which sends an HTTP POST request to a remote server. The server then responds with a link to a supposed PNG image file hosted on adoss.spinsok[.]com, from which the SDK extracts the main payload—a Base64-encoded Java archive (JAR) file.
The malicious capabilities of Necro are realized through a series of additional modules, or plugins, downloaded from a command-and-control (C2) server, enabling a wide array of actions on the compromised Android device:
- NProxy: Creates a tunnel through the victim’s device.
- island: Generates a pseudo-random number to determine the interval between intrusive ad displays.
- web: Periodically contacts a C2 server and executes arbitrary code with elevated permissions when loading specific links.
- Cube SDK: A helper module that loads other plugins to manage ads in the background.
- Tap: Downloads arbitrary JavaScript code and a WebView interface from the C2 server responsible for covertly loading and displaying ads.
- Happy SDK/Jar SDK: A module that combines NProxy and web modules with minor variations.
The emergence of these threats underscores the importance of vigilance in mobile security. Users are advised to download applications only from trusted sources and to keep their devices updated with the latest security patches.