In a concerning development for Android users, recent findings reveal the presence of a malware Trojan, known as the Necro Trojan, embedded within two applications on the Google Play Store. This malicious software has reportedly compromised over 11 million devices, and the actual number of affected users could be significantly higher due to its distribution through unofficial channels.
Modified Apps
Researchers at Kaspersky have traced the origins of the Necro Trojan to two primary sources. Firstly, it has infiltrated legitimate applications available on the Play Store. Secondly, it has been found in modified versions of popular apps, such as custom iterations of Spotify and Minecraft, which users often download from unofficial sources, a practice known as sideloading.
Kaspersky’s investigation began with a modified version of Spotify called Spotify Plus, which falsely advertised itself as providing Spotify Premium features at no cost. Despite its claims of being “Security Verified,” Kaspersky’s analysis debunked these assertions, revealing that the app serves as a conduit for the Trojan to infect devices. The researchers also identified the Trojan in altered versions of WhatsApp, specifically “GBWhatsApp” and “FMWhatsApp.”
Moreover, the Necro Trojan has been detected in various game modifications, including those for Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. Kaspersky emphasizes the challenge in estimating the total number of victims stemming from these unofficial sources, as the focus remains on the download counts from the affected apps on the Play Store.
Play Store Apps
Among the apps identified on the Play Store, the Wuta Camera app stands out, having been downloaded over 10 million times. Initially, this app was not malicious; however, the Trojan made its debut in version 6.3.2.148. Fortunately, this version has since been removed, rendering the app safe for download once again.
Additionally, the Max Browser app was found to contain the Trojan, with over one million downloads. The first version to harbor the malware was 1.2.0, and following Kaspersky’s report, Google has since removed Max Browser from its app store entirely.
What Necro Does
Once installed, the Necro malware can execute a range of harmful functions. According to BleepingComputer, its payloads can activate malicious plugins that run adware, open links in invisible windows, execute various scripts, initiate fraudulent subscriptions, and route malicious traffic through the infected device.
Essentially, whether through an unofficial app download or a compromised official app like Max Browser or Wuta Camera, users inadvertently contribute to the attackers’ profits by engaging with advertisements and running fraudulent subscriptions in the background.
How to Protect Your Device
To safeguard your Android device, it is crucial to conduct a thorough scan for any of the aforementioned Play Store apps. If you have the Wuta Camera app, ensure that you update it immediately or remove it from your device. For those with Max Browser, it is advisable to delete the app entirely, as there are no safe versions available.
Furthermore, if you possess any of the modified apps mentioned earlier, it is prudent to delete them from your smartphone. Moving forward, exercise caution with unofficial downloads. While sideloading can expand your app options, it also increases the risk of inadvertently downloading malicious software due to the lack of stringent checks and regulations.
