2024-09-24 20:02:33 : Some Google Play apps and unofficial mods for popular apps are becoming targets for attackers to spread dangerous malware, according to security researchers. The Necro Trojan is said to be able to log keystrokes, steal sensitive information, install additional malware, and execute commands remotely. Two apps in the Google Play app store were found to contain this malware. Additionally, modified Android application packages (APKs) of apps such as Spotify, WhatsApp, and games such as Minecraft were also detected spreading the Trojan.
Google Play application, modified APK used to spread Necro Trojan
The Necro family of Trojans was first discovered in 2019, when the malware infected the popular PDF creation application CamScanner. The official version of the app on Google Play has been downloaded more than 100 million times, posing risks to users, but security patches at the time fixed the issue.
According to a post by Kaspersky researchers, a new version of the Necro Trojan has been discovered in two Google Play applications. The first is the Wuta Camera app, which has been downloaded over 10 million times, and the second is the Max browser, which has been downloaded over a million times. Researchers confirmed that after Kaspersky contacted Google, Google removed the infected apps.
The main problem stems from the large number of unofficial “modded” versions of popular applications, which are hosted on a large number of third-party websites. Users may mistakenly download and install them onto Android devices, infecting them in the process. Some of the malware-laden APKs discovered by researchers include modified versions of Spotify, WhatsApp, Minecraft, Stumble Guys, Car Parking Multiplayer and Melon Sandbox – modified versions that allow users to access features that would normally require a paid subscription.
Interestingly, attackers appear to be using a range of methods to target users. For example, according to researchers, the Spotify mod contains an SDK that displays multiple ad modules. If a user accidentally comes into contact with the image-based module, a command and control (C&C) server is used to deploy the Trojan payload.
Likewise, in the WhatsApp mod, attackers were found to have overridden Google’s Firebase Remote Config cloud service to use it as a C&C server. Ultimately, interacting with the module will deploy and execute the same payload.
Kaspersky’s post highlights that once deployed, the malware can “download executable files, install third-party applications, and open arbitrary links in invisible WebView windows to execute JavaScript code.” Additionally, it can subscribe to expensive premium services without the user’s knowledge.
Although the app has been removed from Google Play, we urge users to be careful when downloading Android apps from third-party sources. If they don’t trust the market, they should avoid downloading or installing any apps or files.
Follow us On Social Media Twitter/X
