Five years ago, a significant discovery by Kaspersky researchers unveiled a legitimate Android application lurking within the Google Play market, which had been compromised by a library intended for advertising revenue generation. This malicious entity, known as Necro, was responsible for infecting approximately 100 million devices, redirecting them to attacker-controlled servers to download covert payloads.
New Wave of Infections
In a recent turn of events, the same team at Kaspersky has identified two new applications that have collectively amassed 11 million downloads, both of which are tainted by the same malware family. The researchers suspect that a malicious software development kit (SDK) designed for integrating advertising functionalities is once again at the heart of this issue.
The first of the newly identified apps is Wuta Camera, which boasts an impressive 10 million downloads. Versions 6.3.2.148 through 6.3.6.148 of this app were found to harbor the malicious SDK responsible for the infections. Fortunately, the app has since undergone updates to eliminate the harmful component.
In addition to Wuta Camera, another app named Max Browser, which had around 1 million downloads, was also discovered to be infected. However, this particular app has been removed from the Google Play store.
Beyond Google Play
Moreover, Kaspersky’s investigation revealed that Necro has infiltrated a range of Android applications available in alternative marketplaces. These apps often masquerade as modified versions of well-known legitimate applications, including:
- Spotify
- Minecraft
- Stumble Guys
- Car Parking Multiplayer
- Melon Sandbox
The resurgence of Necro underscores the ongoing challenges in maintaining app security and the importance of vigilance among users when downloading applications from any marketplace.
