Highlights:

  • One of the infected apps, Wuta Camera, has been downloaded over 10 million times from Google Play.
  • Discovered by researchers at Kaspersky Lab Inc., the malware was installed on Android devices via malicious advertising software development kits utilized by apps on Google Play.

A new variant of Necro malware has infected over 11 million devices. This malware first appeared in 2019. The new malware variant was installed via apps distributed through the Google Play Store.

Researchers at Kaspersky Lab Inc. found that the malware was installed on Android devices via malicious advertising software development kits utilized by apps on Google Play, as well as through game modifications and altered versions of popular applications and games from unofficial app stores.

One of the infected apps, Wuta Camera, was downloaded over 10 million times from Google Play, while another app, Max Browser, received more than 1 million downloads from Google’s official store. Google has since removed both infected versions of these apps.

Kaspersky researchers report that both apps were compromised by an advertising SDK called ‘Coral SDK,’ which used obfuscation techniques to hide its malicious activities. For its second-stage payload, the malware utilizes image steganography through a component called “shellPlugin,” which is disguised as an innocuous image.

After an Android device is infected, the malware displays ads in invisible windows, clicks on them, downloads executable files, installs third-party applications, and opens arbitrary links in hidden windows to execute JavaScript. Additionally, the malware can subscribe users to paid services without their consent and redirect internet traffic through infected devices, effectively using them as proxies.

In an interview with a trusted media house, Katie Teitler-Santullo, a cybersecurity strategist at OX Appsec Security Ltd., a company specializing in application security posture management, stated that “while users have no control over what SDKs are used in apps, developers of the apps can, indeed, check to make sure the SDK hasn’t been tampered with.”

“For instance, developers should check to see if the SDK has been signed with a valid certificate and comes from a trusted source. Scanning source code for malicious content and unauthorized access helps developers identify whether the code has been altered or is vulnerable to exploit,” Teitler-Santullo said.

She also added that “it’s always best practice for AppSec teams to conduct various other types of scanning including SAST, DAST, dependency and vulnerability, both to find issues before apps are deployed and during runtime.”