Necro Trojan malware infects millions of Android devices through two Google Play apps

The Trojan primarily affects a device by installing adware, raking in revenue for the attackers

​The Trojan primarily affects a device by installing adware, raking in revenue for the attackers  Read More Technology

Key Takeaways

A new malware has been found to be infiltrating Android devices through compromised advertising SDKs.
Necro Trojan has been found in two Play Store apps, namely Wuta Camera and Max Browser. It has also been found in modified versions of popular apps like WhatsApp, Minecraft, and Spotify.
The two Play Store apps alone have over 11 million downloads. Users of the infected apps are advised to uninstall and run a safety check.

It feels like recurring practice now — writing about Android malware. “Trojans disguised as Google Play updates are the next big threats to your data,” “A new Android malware is emptying bank accounts and wiping devices,” and “Dangerous new malware uses cookies to break into Google accounts” are just some of the malicious malware stories we’ve reported on this year, and a new wave of infections is now coming to light.

Related
A new Android malware is emptying bank accounts and wiping devices

Propagating through ordinary text messages

In a report by SecureList by Kaspersky, via BleepingComputer, the antivirus provider highlighted a new Necro Trojan that has been stealthily infiltrating millions of Android devices through malicious SDK supply chain attacks using compromised advertising SDKs.

Presence of the malware was found on two Play Store apps, namely Benqu’s Wuta Camera and the now-removed Max Browser. The former boasts over 10 million downloads, and contained the Necro Trojan from version 6.3.2.148 (July 18) through version 6.3.6.148 (August 20).

The latter, Max Browser, was downloaded over 1 million times before being removed from the Play Store, as indicated by BleepingComputer, and its latest version 1.2.0 still houses the malware.

Elsewhere, Necro’s reach has also been found to extend to modified versions of popular apps like WhatsApp, Spotify, and Minecraft, which are normally distributed through unofficial websites and app stores — hence, their reach can not be quantified.

Related
What to do if you accidentally click on a phishing link

Don’t panic, you can still keep your data secure

The way the Trojan primarily affects a device is by installing adware on it that loads websites through invisible WebView windows, essentially raking in ad revenue for the attacker at your expense.

The Trojan can also download and execute arbitrary code on the infected device, facilitate subscription fraud, and route malicious traffic that can make it harder to trace its source.

BleepingComputer suggests that Google is aware of the Trojan and the apps housing it, and it is currently investigating the issue. For users, this means being even more aware of the apps that they download. If you’ve downloaded one of the infected apps, it would be prudent to quickly uninstall the app and scan your device with a reputable antivirus. It would also be wise to change important passwords, even though it doesn’t look like the Trojan was compromising user accounts.

The Play Store’s Play protect feature, which essentially runs a safety check on apps on the Play Store before you install them, is a lifesaver in such situations, and should remain enabled. The tool can also scan your device for harmful apps after they’ve been downloaded and installed, alongside sending you alerts about apps that might be able to access your personal information.

Play Protect is on by default, but if you’ve previously disabled it for any reason, here’s how you can turn it back on:

Open Google Play Store. Tap on your profile icon on the top right. Tap Play ProtectSettings. Enable Scan apps with Play Protect.

To scan your device via Play Protect, simply navigate to the Play Storeprofile iconPlay ProtectScan.