Necro malware, has reportedly infiltrated 11 million devices via apps distributed on Google Play

Continue reading
The Android ecosystem has once again fallen victim to a sophisticated and widespread malware infection. The latest threat, a variant of the Necro malware, has reportedly infiltrated 11 million devices via apps distributed on Google Play. Disguised through malicious advertising Software Development Kits (SDKs), Necro has made its way into legitimate apps, modded versions of popular software, and game mods. This technical breakdown delves into the infection's mechanism, impact, and remediation.
The Necro Trojan represents a multi-faceted and continuously evolving malware. Leveraging compromised SDKs in legitimate apps, the malware has extended its reach far beyond traditional distribution methods. The malicious SDK supply chain attacks employed by Necro highlight the growing sophistication of adversaries targeting mobile ecosystems.
Display adware through invisible WebView windows.
Download and execute arbitrary JavaScript and DEX files.
Enable subscription fraud via specialized plugins.
Utilize infected devices as proxies to route malicious traffic.
2 Targeted Apps: Two legitimate apps on Google Play were infected:
Wuta Camera (by ‘Benqu’) with over 10 million downloads.
Max Browser (by 'WA message recover-wamr') with 1 million downloads.
Necro's infection vector operates in multiple stages, with malicious SDKs serving as the initial point of compromise. Legitimate apps incorporate SDKs for monetization through ads, but in this case, the SDKs had been weaponized.
Stage 1: Coral SDK, the malicious SDK responsible for delivering the first payload, employs obfuscation techniques to evade detection and uses image steganography to download the second-stage payload disguised as a PNG image.
Stage 2: The second payload, called shellPlugin, facilitates deeper system penetration, allowing for additional malicious operations, including:
Ad injection using hidden WebViews.
Silent installation of apps and APKs.
Interaction with paid services for fraudulent revenue generation.
The malicious actions performed by the Necro Trojan not only invade user privacy but also burden the infected device with unwanted processes. Some of the direct impacts include:
Unwanted Advertisements: Necro uses invisible WebView windows to interact with ad services in the background, generating fraudulent ad revenue.
Silent App Installations: Users unknowingly have apps or APKs installed on their devices, potentially leading to further malware infections or unwanted apps that consume device resources.
Subscription Fraud: Through hidden WebViews, Necro interacts with premium services, charging users without their knowledge.
Proxy Exploitation: Infected devices act as proxies to route malicious traffic, which could be leveraged for DDoS attacks, data exfiltration, or other nefarious purposes.
Affected Apps and Platforms
The two major legitimate apps identified with the Necro infection were:
Downloads: Over 10 million downloads on Google Play.
Infected Versions: Version 6.3.2.148 was compromised, and the infection remained until version 6.3.6.148. Kaspersky notified Google, and the malware was removed in version 6.3.7.138. However, previously installed payloads remain active on devices with older app versions.
Downloads: 1 million downloads on Google Play.
Current Status: Kaspersky reported that version 1.2.0 of Max Browser remains infected, and users are advised to uninstall the app as there is no clean version available.
Beyond Google Play, unofficial app repositories and modded apps have become a significant distribution vector for Necro. Popular mods for apps such as WhatsApp (GBWhatsApp, FMWhatsApp), Spotify Plus, and various game mods (e.g., Minecraft, Stumble Guys, Car Parking Multiplayer) were found to carry the Necro loader.
Necro's Global Reach
The spread of Necro has been massive, with 11 million devices infected through Google Play alone. However, the true extent of the malware’s distribution, particularly through modded apps on unofficial websites, remains unknown due to unreliable download data from those sources. Given the scale of these infections, the actual number could be far greater.
Mitigation and Recommendations
Users who have downloaded any of the affected apps, especially older versions, are urged to:
For developers and companies, the malicious SDK supply chain attack serves as a stark reminder of the importance of SDK vetting and security audits. Ensuring that advertising and other third-party SDKs are secure and regularly updated can significantly reduce the risk of such infections.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.