These Popular Android Apps May Be Infected with the Necro Trojan
According to security researchers, some Google Play apps and unofficial mods of popular apps are being targeted by attackers to spread dangerous malware. The alleged Necro trojan can log keystrokes, steal sensitive information, install additional malware, and execute commands remotely. Two apps on the Google Play app store have been spotted carrying this malware. Furthermore, modded Android application packages (APKs) of apps such as Spotify, WhatsApp, and games such as Minecraft have also been detected spreading the trojan.
Google Play apps and modified APKs are used to distribute Necro Trojan
The first time a trojan from the Necro family was spotted was in 2019 when the malware infected the popular PDF creator app CamScanner. The official version of the app on Google Play with over 100 million downloads posed a risk to users, but a security patch fixed the issue at the time.
According to a after A new version of the Necro trojan has now been spotted by Kaspersky researchers in two Google Play apps. The first is the Wuta Camera app that has been downloaded more than 10 million times, and the second is Max Browser with more than a million downloads. The researchers confirmed that Google removed the infected apps after Kaspersky contacted the company.
The biggest problem is the large number of unofficial “modded” versions of popular apps, hosted on a variety of third-party websites. Users can accidentally download and install them on their Android devices, thereby infecting them. Some of the APKs containing the malware discovered by researchers include modified versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer, and Melon Sandbox. These modified versions promise users access to features that would normally require a paid subscription.
Interestingly, it appears that the attackers used a variety of methods to target users. For example, the Spotify mod contained an SDK that displayed multiple ad modules, the researchers said. A command-and-control (C&C) server was used to deploy the Trojan payload if the user accidentally touched the image-based module.
Similarly, in the WhatsApp mod, it was discovered that the attackers had overwritten Google’s Firebase Remote Config cloud service to use it as a C&C server. Ultimately, interacting with the module would deploy and execute the same payload.
Once deployed, the malware could “download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code,” the Kaspersky post stressed. It could also subscribe to expensive paid services without the user’s knowledge.
Although the apps have already been removed from Google Play, users are urged to be careful when downloading third-party Android apps. If they do not trust the marketplace, they should not download or install any apps or files.
