Five years ago, a troubling discovery shook the tech community when a legitimate Android application on the Google Play Store was found to have been compromised. This breach stemmed from a library utilized by developers for ad revenue generation, which inadvertently introduced malicious code. As a result, the app connected a staggering 100 million devices to servers controlled by hackers, allowing harmful payloads to be secretly downloaded.
In a disconcerting echo of that incident, researchers from a Moscow-based security firm, Kaspersky, recently unveiled that two new applications, collectively downloaded 11 million times from the Google Play Store, were similarly infected with malware. The team suspects that a rogue software development kit (SDK) used for ad integration is once again at the heart of the issue.
Advanced Malware Techniques
SDKs serve as invaluable tools for developers, providing ready-made frameworks that streamline the app development process by managing repetitive tasks. In the case of the infected applications, an unvalidated SDK module was purportedly employed to facilitate ad displays. However, this same module also enabled covert communication with malicious servers, which not only harvested user data but also dispatched harmful code that could be executed and updated remotely at will.
The malware, identified as Necro, exhibited advanced techniques in this latest iteration. Some variants utilized steganography—a method of concealing data that is rarely seen in mobile malware. Furthermore, certain versions introduced sophisticated mechanisms to deliver harmful code capable of executing with elevated system privileges. Once a device fell victim to this malware, it established a connection with a hacker-operated command-and-control server, transmitting encrypted JSON data about the device and the compromised app.
The server would respond with a JSON file containing a link to a PNG image alongside metadata that included the image’s hash. If the hash verification succeeded on the infected device, the image would be downloaded.
According to Kaspersky researchers in a separate report, “The SDK module employs a fairly basic steganographic method. If the MD5 verification passes, it decodes the contents of the PNG file—specifically the pixel values in the ARGB channels—using standard Android tools. The getPixel method then extracts a value, the least significant byte of which contains the blue channel, and code processing starts.”
Viewing the blue channel as a one-dimensional byte array, the first four bytes represent the size of the encoded payload in Little Endian order. Following this, the payload of the stated size is recorded; this is a JAR file encoded with Base64, which is executed after being decoded via DexClassLoader. The Coral SDK then loads the sdk.fkgh.mvp.SdkEntry class from the JAR file using the native libcoral.so library, which has been obscured using the OLLVM tool. The execution starts from the ‘run’ method in the loaded class.
Subsequent payloads install malicious plugins that vary per device, enabling a spectrum of harmful activities. One such plugin allows the execution of code with elevated system privileges. Typically, Android restricts privileged processes from utilizing WebView, a component designed to display web content within apps. To bypass this restriction, Necro employs a hacking technique known as a reflection attack to instantiate a separate WebView factory.
This plugin is also capable of downloading and executing additional executable files that manipulate URL displays in WebView. With elevated privileges, these files can alter URLs to append verification codes for paid subscriptions and initiate downloads and executions of code from attacker-controlled links. Kaspersky's analysis of Necro revealed five distinct payloads.
The modular architecture of Necro presents numerous challenges for cybersecurity experts. Each payload is designed to perform specific tasks, making it difficult to detect and neutralize all components simultaneously. This adaptability underscores the importance of rigorous security measures and continuous monitoring in app development and distribution.